Unsupported software figures show councils 'still aren't serious about security'

Image of a server rack with lens flare on the corner of the image
(Image credit: Shutterstock)

When we think about our local council, the chances are we think about the everyday services they provide street cleaning, social care, planning, that kind of thing.

Underpinning these services is an administrative system built on technology architecture that needs to run smoothly, be secure, and be well maintained if it's to provide the level of service citizens expect at a price that's affordable.

Thirty-seven attacks every minute

Research from IT service provider Comparex recently revealed that nearly half of all councils in England are still reliant on server software that is no longer officially supported by its vendor.

The research found that 24% of councils were still running Windows Server 2000 or Windows Server 2003, support for which ended in 2010 and 2015 respectively, while 38% were running Microsoft SQL Server 2005, which hit end-of-life in 2016. In total, it was found that 46% of councils reported using one or more of these products, and therefore running critical infrastructures that could be vulnerable to attacks, breakage and general inefficiency. That's particularly alarming given the surge in the number of attacks targeting the public sector over the past few years.

Comparex found that 94% of councils running Windows Server 2000 or Windows Server 2003 planned to upgrade within the next two years and 88% of those running Microsoft SQL Server 2005 had plans to upgrade in next couple of years. As custodians of vast amounts of public data, that's certainly a step in the right direction, but, if we're also to account for delays or technical teething problems in the upgrade process, its still gives plenty of time for flaws to emerge.

It was recently discovered that UK local authorities have faced more than 98 million cyber attacks over the past five years, according to data gathered by Big Brother Watch using Freedom of Information requests. That equates to at least 37 attempted breaches every minute, and at least one in four of these attempts resulted in an actual breach during the 2013 to 2017 period.

Security still isn't a priority

Coming up with an upgrade plan is difficult enough, but actually beginning the process is another beast entirely. James Moar, senior analyst at Juniper Research tells Cloud Pro that security is still seen as an afterthought, particularly at a time of dwindling budgets.

"Councils, like many businesses, are still likely to see security as an additional cost, rather than a necessity," says Moar. "While the GDPR and other recent legislation has highlighted the need to more tightly control access to data, this is unlikely to cause councils to rethink their whole information security posture."

The problem is compounded by the fact Microsoft's upgrading process isn't exactly user-friendly. "So far as I'm aware, there's no direct upgrade route from Windows Server 2000 to Windows Server 2012," explains Richard Edwards, IT research analyst at Freeform Dynamics. "So, the only option would be to upgrade to Windows Server 2003 and then to Windows Server 2012. That's not a good use of anyone's time."

"There are, of course, alternatives to upgrading," adds Edwards. "A Windows file server can be replaced by an appliance or cloud storage services. Databases can be consolidated or considered for replacement by other SaaS applications. There are many options to look at."

Trusting third-party providers

The problem councils face is finding the best route through budgetary constraints to a back-end system that's as secure as it can be, that meets the requirements of GDPR and other legislation, and that's able to be kept up to date in a cost-efficient way.

"GDPR encourages best practice, but policies themselves don't keep hackers out," says Edwards. "IT departments may have expertise in running old systems, and they may have mitigations in place to address hardware failure, but it's not good business to run any business on unsupported systems."

In response to the report, Georgina Maratheftis, programme manager for Local Government at techUK tells us that cyber security "must be taken seriously by everyone in councils, not just the IT and cyber team".

"If anything, the General Data Protection Regulation (GDPR) should be an opportunity for councils to build a culture of data trust and review current cyber security procedure and training.

Understandably councils continue to face financial pressures and constraints, but they should weigh up the long-term and reputational costs if they do not act now."

One solution is for councils to look to cloud providers for alternatives, particularly as technologies like virtualisation help not only cut down on the costs of running infrastructure, but is also far more efficient than housing physical servers on-premise. This, of course, would require a great deal of decommissioning on behalf of the councils, and they may be reluctant to break from tradition and hand over the management of systems to a third-party.

"There's still the issue of out-of-date software," explains Edwards. "SaaS solutions are available to meet an unimaginable range of business requirements. These should be investigated, and where existing SaaS platforms are in use, consider how they might feature as part of a re-platforming strategy."

Unfortunately, recent research by Citrix revealed that a staggering 80% of councils are still reliant on on-premise architecture. Some experts claim that many authorities are facing difficulty securing buy-in from senior leadership, particularly when it comes to alleviating fears over changing workplace cultures or the greater demand a move may have on employee skill sets.

Inaction is not an option

Given the access that local councils have to public data, doing nothing is not really an option even if the current budgetary climate is forcing authorities to make drastic cutbacks.

As James Moar of Juniper Research explains, councils need to "be aware of penalties for non-compliance with data handling and data security regulations. While the costs of a rigorous cybersecurity posture may seem large, the penalties and PR fallout are likely to be much larger."

"To not be worried about attacks in the current climate is to be nave about cybersecurity," he adds. "While the benefit of an attack may not be immediately obvious to potential targets, that does not mean they will not be targeted."

Sandra Vogel
Freelance journalist

Sandra Vogel is a freelance journalist with decades of experience in long-form and explainer content, research papers, case studies, white papers, blogs, books, and hardware reviews. She has contributed to ZDNet, national newspapers and many of the best known technology web sites.

At ITPro, Sandra has contributed articles on artificial intelligence (AI), measures that can be taken to cope with inflation, the telecoms industry, risk management, and C-suite strategies. In the past, Sandra also contributed handset reviews for ITPro and has written for the brand for more than 13 years in total.