London’s Hackney Council is tendering for new security assurance capabilities. It will evaluate several suppliers to take on the task, following a ransomware attack on its systems last year that, months later, has left many of its critical services disrupted.
In a request for proposal (RFP) posted to the government’s Digital Marketplace, the council said it intended to establish and manage its risks across all its ICT environments to minimize the risk of a future cyber attack on its systems.
“Hackney Council is reviewing the way we deliver security assurance, following a cyber attack in October 2020 and implementing changes to where required,” the council wrote.
“This work will include a review of some of our technological tools as well our governance arrangements and processes. This work will be underpinned by a concurrent piece of work focused upon the security culture within the team.”
The project will deliver two critical strands of work: a review and strengthening of policies, processes, and procedures; and analysis and implementation of new security, behavior, and skills capabilities.
The council said it had already identified several skills gaps and capacity shortages of its own accord that could hinder the rapid delivery of the project: user research to establish current behaviors and cultures impacting cyber security; analysis of business, procedure, and policy to distill that information and turn it into actionable practice; and senior security practice to assist in the design of new processes, and delivery of training and best practice to council staff.
The budget for the project is between £200,000 and £250,000, excluding VAT, and the program is set to run for approximately six months, with the selected team working alongside the council’s staffers “in an agile project style”, probably remotely due to the pandemic. The closing date for applications is set for 2 February 2021.
It has affected thousands of Londoners and caused ripple effects that go far beyond the availability of IT systems – for example, property purchases in the borough have ground to a halt.
Although the council was at first reluctant to disclose the precise nature of the attack, it was forced to confirm it was ransomware after the Pisa/Mespinoza gang leaked some of the stolen data online earlier in January in an attempt to conduct a double extortion attack.
The fact the data was leaked at all is a strong indicator that the council has not paid the gang – which are described by Emsisoft’s Brett Callow as “horribly amateurish” – any ransom money and is wisely refusing to do so.