Merthyr Tydfil County Borough Council in Wales has made a statement of acknowledging the very real threat of cybercrime by becoming the first local authority in Wales to insist that cyber resilience is a must for each enterprise it has dealings with.

Local councils tackling cybercrime head on

Partnering up with the Cyber Resilience Centre for Wales (WCRC), the county council is now requesting businesses tendering for services, works and goods for, or to, the council have either Cyber Essentials or WCRC Core Membership in place. This is a simple but effective way to make certain that they are well protected from the most common kinds of cyberattacks currently in circulation.

In a statement, Corporate Information Security Officer (CISO) for Merthyr Tydfil County Borough Council, Ryan James, said:

“We have been promoting cyber resilience for a long time with the businesses we use as part of our procurement process but there is a definite feeling of reluctance to take this on board, which I think comes from the mindset that a cyber-attack just won’t happen to them. Yet, this is quite the opposite and by ensuring we practice this level of cyber security, we are protecting our own supply chain.”

James added that the council felt it must act after witnessing an increasing number of enterprises falling victim to cybercrime. With guidance and assistance from WCRC, it is now enforcing a rule that makes it compulsory for any supplier tendering with the local authority going forward to have one of the two vital cyber resilience measures in place as a minimum if they wish to even be a contender for a council contract.

Chief Executive for the council, Ellis Cooper, commented:

“Determining whether our supply chain meets our cyber security requirements is essential to us as an organisation, a vulnerable supply chain can cause damage and disruption.”

Cooper added that working alongside the WCRC, the council could ensure its suppliers were prepared and in possession of all the information required to maintain strong cyber resilience.

Rising cybercriminal threats to local councils

While multinational corporations being hit by cyberattacks are more common in the headlines, local authorities here in the UK have become an attractive target for a wide range of cybercriminals, including notorious ransomware operators.

Ransomware gangs infiltrate victims’ networks, locking users out of vital systems and data, often simultaneously exfiltrating confidential information during attacks. They then issue their targets with a ransom demand in return for the decryption key that will unlock their data records and operating systems. The stolen data exfiltrated is used as an additional threat to coerce payment. The attackers threaten to release sensitive data online unless the ransom demand is met.

Local authorities store personal data on thousands of citizens who live within their boundaries and supply critical services via their online platforms. The disruption and harm an attack can potentially cause when launched on a council create the ideal environment for threat operators to gain the advantage in ransomware negotiations and allow them to achieve their cybercriminal objectives.