Trafford Council
Tameside Metropolitan Borough Council – NAFN Data and Intelligence Services
Chorley Council and South Ribble Borough Council
Chorley Council and South Ribble Borough Council
Supercharging Cybersecurity & Governance
Briefly describe the initiative/ project/service; please include your aims and objectives
This project aimed to strengthen Trafford Council’s cybersecurity posture to protect against evolving cyber threats, ensuring the safety and integrity of sensitive data, internal systems, and public services in an increasingly digital landscape. The primary focus was to identify and address existing vulnerabilities, reinforce existing systems, and implement robust defence strategies while fostering a proactive cybersecurity culture across the Council. With over 2200 employees, the council faces multiple potential targets for cyberattacks, making it essential to prioritise both technical security measures and awareness initiatives. Cultivating a culture of cybersecurity awareness and best practices was therefore a key focus to ensure the confidentiality, integrity, and availability of all digital assets and services.
Aims and Objectives:
– Cybersecurity Risk Assessment and Vulnerability Identification Objective: Conduct a comprehensive cybersecurity audit to assess current vulnerabilities, identify potential risks, and understand the existing security posture.
– Implementation of Advanced Security Controls Objective: Deploy enhanced security measures to protect the council’s IT infrastructure, sensitive data, and communications. • Employee Training and Awareness Programs Objective: Build a cybersecurity-aware culture through targeted training and awareness campaigns for council staff.
– Strengthening Incident Response and Recovery Plans Objective: Establish a robust incident response (IR) and disaster recovery (DR) plan to quickly address and mitigate cyber incidents.
– Strengthening Compliance with Regulatory Standards Objective: Ensure that all cybersecurity measures align with national and industry-specific regulatory standards (e.g., GDPR, CAF, Cyber Essentials).
– Continuous Monitoring and Reporting Objective: Set up continuous monitoring systems to detect and respond to potential security incidents in real-time.
What are the key achievements?
Before the establishment of the dedicated Cybersecurity Team, security incident resolution at Trafford Council averaged 14 days per ticket. Since the team’s formation, this has been dramatically reduced to just 23 hours. The team’s ability to triage, prioritise, and co-ordinate swift responses has been crucial in achieving this impressive reduction in response time. A thorough gap analysis and review of frameworks revealed a significant need for enhanced vulnerability awareness and analysis—an area where many local councils face similar challenges. In response, Trafford Council implemented Tenable Vulnerability Management (previously known as Tenable IO) as a core vulnerability scanning tool. This strategic acquisition allows us to proactively assess our systems from an attacker’s perspective, identifying vulnerabilities and strengthening our defences accordingly.
With the goal of improving monitoring and detecting emerging incidents, Trafford IT has also implemented and configured its SIEM (Security Incident & Event Monitoring) tool. This work was crucial in helping Trafford to understand and reduce the threat landscape and attack surface while ensuring maximum coverage and cost-efficiency. While still in the early stages, this marks a vital step in building resilience against the growing momentum of cyber threats targeting local government.
As part of our Cyber innovation approach with the business we launched Cyber Awareness Month (CAM), this has played a pivotal role in educating staff about the real, evolving threats posed by cyber attackers. Hosted annually in November—prior to the holiday season when social engineering attacks peak—CAM equips staff with the knowledge to identify and report security incidents. Through tailored training and the promotion of security incident reporting, employees are empowered to detect and flag suspicious activity, such as phishing emails, which are then thoroughly investigated and mitigated as necessary.
The Cybersecurity Team also conducted a series of highly successful roundtable events (pic2), offering in-person training sessions. These sessions were well-received, with positive feedback leading to their expansion into year-round offerings, based on requests from department managers. This ongoing initiative ensures that cybersecurity awareness remains a priority across all teams and departments at Trafford Council.
The team introduced standard operating procedures (SOPs) which ensures consistency, efficiency, and clarity in Trafford. SOPs provide clear, step-by-step instructions for routine tasks, helping the IT staff to follow a unified approach to work processes. By standardising practices, SOPs reduce variability, minimise errors, and improve overall productivity. They also serve as an important tool for training new employees, ensuring they can quickly understand their roles and responsibilities.
Additionally, SOPs help maintain compliance with regulatory standards and industry best practices, creating a reliable framework for decision-making and problem-solving. Overall, the introduction of SOPs fosters a more organised, streamlined work environment, which contributes to the achievement of business goals and continuous improvement. Through these efforts, Trafford Council has significantly improved its cybersecurity posture, making meaningful strides in proactive defence, staff awareness, and incident response.
Achievements:
– Cybersecurity Risk Assessment and Vulnerability Identification
– Improved performance vulnerability scans and penetration testing by introducing Tenable.io and enhanced SIEM configuration.
– Proactively analysed security gaps in current systems, software, and infrastructure.
– Developed a detailed cyber risk register. Implementation of Advanced Security Controls
– Updated and upgraded firewalls, intrusion detection/prevention systems (IDS/IPS), and encryption protocols.
– Strengthened endpoint security and implemented multi-factor authentication (MFA) across 2200 users. Employee Training and Awareness Programs
– Developed and delivered a series of online cybersecurity training modules with our partner Boxphish.
– 1500 staff completed Boxphish training modules over the 4 week CAM
– Conducted phishing simulation exercises and other threat response drills.
Strengthening Incident Response and Recovery Plans
– Created and documented clear cybersecurity major incident response processes and protocols.
– Established communication protocols for internal and external stakeholders during an incident.
Strengthening Compliance with Regulatory Standards
– Performed a compliance audit to ensure adherence to relevant security regulations, completed a CAF readiness assessment with action plan.
– Implemented changes to meet compliance requirements.
– Maintained records of compliance for auditing Continuous Monitoring and Reporting
– Implemented Security Information and Event Management (SIEM) systems
How Innovative is your initiative?
The Cybersecurity team had seen minimal impact from traditional training and awareness approaches so adopted a more personal approach via face-to-face interactions with our employees during the roundtable events. We engaged directly with employees and heard firsthand about the cybersecurity challenges they face in their daily roles. The roundtable events provided a unique opportunity to understand their concerns and perspectives, particularly when it comes to the growing risks posed by social engineering, phishing attempts, and the ever-evolving threat landscape driven by advancing technologies.
Our users, who are on the front line of these threats, offer crucial insights into the types of vulnerabilities they encounter most frequently. By engaging with them in an interactive, open forum, we are not only able to educate and inform them in a more personal, impactful way, but we also gain a deeper understanding of their needs. This approach allows the cybersecurity team to go beyond relying solely on data and statistics to prioritise security efforts. Instead, we hear directly from those who face these risks daily, ensuring that the focus of our cybersecurity strategy aligns with real-world challenges and user experiences.
These in-person interactions foster a dynamic exchange of ideas, enabling us to tailor our cybersecurity initiatives and training programmes to address the issues that matter most to our employees and provide them with the knowledge and tools they need to stay ahead of potential threats.
What are the key learning points?
Strengthening the cybersecurity posture of the council has been a multi-faceted endeavour that required addressing internal culture, technological investments, compliance requirements, and third-party management. While there were several challenges, such as resource limitations and employee resistance, the project’s successes—particularly in risk management, enhanced security protocols, and improved incident response—demonstrated its effectiveness.
The key learning from this project is the ongoing nature of cybersecurity; it requires continuous adaptation to new threats, ensuring that policies, technologies, and training evolve in tandem with the cyber threat landscape. Policy development has been a large component of Trafford’s Cyber Security journey. New and updated policies that have been added include:
– Updated Patch Management Policy
– Information Security Policy
– Vulnerability Management and Pen testing Policy
– AI Policy
These policies drive the governance that supports how we operate under various frameworks, one primarily being the CAF. Key Learning Points against aims and objectives: Cybersecurity Awareness is Critical: Introduction of BoxPhish – Employees played a significant role in changing the culture.
Training and awareness programmes are essential in reducing human error (e.g. phishing, weak passwords) and fostering a proactive security culture.
Continuous Monitoring is Essential: Cyber threats evolve constantly, making continuous monitoring a necessity. Implementing a robust monitoring system, such as SIEM (Security Information and Event Management), was essential to ensure threats are detected early, allowing for quick responses.
Prioritisation of Risk Mitigation: Not all vulnerabilities are equal. It is important to prioritise and score security risks based on their potential impact on the Council. This helps in allocating resources efficiently and addressing the most critical threats first.
Automation and Patch Management: Automated systems for patching vulnerabilities and updates help reduce the risk of exploitation from known vulnerabilities. Regular, timely patching is a fundamental part of keeping systems secure.
Collaboration with Experts: Engaging with external cybersecurity consultants or vendors provided additional expertise and resources, helping to identify blind spots that internal teams might have missed.
Compliance is Non-Negotiable: Ensuring compliance with regulations like GDPR, CAF, or Cyber Essentials was essential to maintain trust, legal integrity, and operational security standards.
Challenges Faced:
– Resource Constraints: Cybersecurity projects often require substantial investment in both technology and manpower. Budget limitations might delay the implementation of advanced security tools or hiring of specialized personnel.
– Resistance to Change: Trafford staff resisting to adopt new security protocols or technology due to lack of understanding, unfamiliarity, or fear of increased workload. Ensuring buy-in from all levels of the council was challenging but necessary.
– Complexity in Implementation: Deploying security controls across all departments, systems, and platforms, particularly in Trafford with many legacy systems, was a time-consuming and complex process.
– Managing Third-Party Risks: With many external partners and suppliers involved in the council’s operations, ensuring they met the same cybersecurity standards was a significant challenge. Misalignment in cybersecurity practices with third parties posed a potential vulnerability.
– Incident Response Planning: Developing an effective and coordinated incident response plan, and then testing it, was difficult. Ensuring Trafford was prepared to act quickly and effectively in the event of a cyber-attack required considerable effort and simulation exercises.
– Keeping Pace with Evolving Threats: The dynamic nature of cyber threats on public organisations, such as evolving ransomware, phishing attacks, and zero-day exploits, made it challenging to stay ahead and continually upgrade security measures in real-time. Successes:
– Enhanced Security Posture: Trafford successfully deployed updated security technologies, including next-gen firewalls, intrusion detection systems, and encryption protocols, strengthening the overall security posture.
– Increased Employee Awareness: A key success was the launch of Cyber Awareness Month (CAM) which has significantly helped us raise awareness about the constantly changing threats from cyber attackers. In addition regular training, phishing simulations, and other awareness programs, have had a noticeable improvement in staff vigilance regarding cybersecurity threats, reducing incidents caused by human error.
Additional Comments
Additional learning points:
Improved Incident Response: The implementation of a robust incident response plan, coupled with regular testing and updates, significantly improved Trafford’s ability to handle cyber incidents effectively, minimizing damage in case of a breach.
Regulatory Compliance Achieved: The council met and maintained compliance with, ensuring that it operated within legal requirements, reducing the risk of penalties and enhancing trust with stakeholders. Significant success.