FMJ Facilities Management magazine providing industry-specific intelligence to FM and property professionals
Councils hold highly-sensitive, confidential data on even the most vulnerable of individuals, yet a new investigation from compliance training provider Skillcast has revealed that the vast majority are failing to adequately train staff against the ongoing threat of cyber attacks.
To understand how councils across the UK approach cybersecurity training, Skillcast issued Freedom of Information requests to local councils, before analysing their respective cybersecurity awareness training policies.
Questions focused on the quantity of staff members who have taken part in training over the past year, whether the training is mandatory or not, and the frequency of refresher training.
These answers were then scored against a ranking system to create an index evaluating the degree to which training is mandatory, refresh frequency, and council enforcement. Councils were then attributed as either:
- Tier A (top performers)
- Tier B (mid performers)
- Tier C (needs improvement)
- Tier D (poor performers)
Only 10 per cent of UK councils were found to have robust cybersecurity training policies, with only four out of the 37 who responded achieving top-tier ‘A’ status. These are:
- Belfast City Council
- Buckinghamshire Council
- Bournemouth Christchurch and Poole Council (BCP Council)
- City of Edinburgh Council
These high achievers only represent a distinct minority though, with the majority of audited councils failing to secure the top-tier ranking.
Worst Performing Councils
Exeter City Council emerged as the lowest-scoring authority in the index, having only introduced mandatory cybersecurity training this year. Given this, Exeter City Council could not be compared against the other factors in the index, such as the frequency of refresher training or requirements of elected members.
In direct contrast to the Tier A councils, Dacorum Borough Council and Maidstone Borough Council only provide refresher training once every three years, creating a risky knowledge deficit. Similarly, a critical blind spot was identified at Eastbourne Borough, Maidstone, and Kirklees Council, where cybersecurity training is entirely optional for elected members. Because these officials typically serve four-year terms and manage highly confidential data, this training exemption can create a huge vulnerability.
Structural tracking failures further deflated index scores across the board. Kirklees Council was unable to specify its training frequency, while Crawley Borough Council failed to disclose its refresher policies, dropping both authorities into the lowest performance bracket, Tier D.
Top performing councils
Belfast City Council, Buckinghamshire Council, BCP Council, and City of Edinburgh Council were all deemed to have rigorous, frequent, and fully inclusive cybersecurity training with a confirmed enforcement mechanism, placing them all in Tier A.
The difference between the top performers and the others in the index is the frequency of the refresher training, with all four boasting monthly training sessions to combat evolving cyberthreats. To challenge training fatigue and optimise employee engagement, Buckinghamshire Council utilises an innovative approach, delivering cybersecurity refreshers through concise e-learning modules and quizzes.
By combining regular, mandatory compliance with bite-sized learning formats, these Tier A councils provide a vital training outline for reducing human error and keeping sensitive public data secure.
According to the government’s cybersecurity breaches survey, over four in 10 businesses and three in 10 charities reported having experienced any kind of cybersecurity breach or attack in the past 12 months alone.
With cyberattacks so prevalent within our society, aided by advancing technologies and the rapid development of AI, it places every organisation across both public and private sectors at risk.
Recent research has found that human error contributes to 95 per cent of cyber breaches, proving that cybersecurity training is a necessity for all organisations to help employees identify potential threats and feel confident to report them.
Because local authorities often manage integrated databases with extended public reach, hosting essential services from council tax and welfare benefits to parking and transport, the stakes are uniquely high. Councils therefore risk not only leaking constituents personal data but also grinding necessary services to a halt for an unforeseeable period of time.
Commenting on the research, Vivek Dodd, CEO of Skillcast said: “Local councils are the custodians of our most sensitive and personal information, so it is alarming to see that while cybercriminals are becoming increasingly smarter, our research shows a massive disparity in how local authorities are defending themselves.
“The Tier A councils demonstrate that monthly, digestible training is achievable, while others are leaving dangerous knowledge gaps or completely exempting elected councillors from mandatory training.
“With research showing that human error triggers 95% per cent of all data breaches, councils need to reform how they approach cybersecurity training, as the threat and intelligence of cyberattacks grow rapidly. Under the new Cyber Security and Resilience Bill, the regulatory landscape is changing and underperforming councils can no longer afford to wait and must now focus on building a culture of digital vigilance.”
