Building an e-security culture at Blackpool Council to see off future threats

Profile picture for user gflood By Gary Flood July 8, 2018
Summary:
Austerity? Sure - but we also need to be secure, says the IT leadership of Blackpool Council. Can the two aims be met? Head of ICT, Tony Boyle, believes so.

Blackpool Council security
Blackpool beach

Blackpool is a north-western town with a special place in the nation’s memory as historically one of its most popular holiday destinations of yore, but with a set of very definite 21st century challenges around social deprivation and the need for regeneration.

Leading the charge in terms of fighting to build a more secure for the 150,000-person community is the Town Hall, with Blackpool Council in charge of provisioning services, of which defending citizens from harm being a central one, beyond just Police and the Emergency Services.

Specifically, the Council’s IT team need to help protect the network integrity of a wide range of state schools and public libraries, as well as its own office sites. A key compliance driver in all of that work: adherence to Prevent, a prime component of the UK government’s counter-terrorism strategy. Designed to support people at risk of joining extremist groups and being then lured into dangerous waters, it requires teachers, faith leaders, doctors and others to refer any suspicions to a local Prevent body, where an assessment is then made about whether further action is needed.

This work is made slightly trickier considering the amount of email traffic hitting its servers the Council says it needs to filter: it states that over 90% of all emails get filtered out as spam, or about half a million emails per day. At the same time, the Council has to try and maintain delivery of information and digital support for the multiple public services residents require. Thus the two drivers of delivering Prevent and protecting the authority’s IT assets, but against a background of on-going austerity and very tight public sector budgets.

How is Blackpool squaring this circle? Ask its Head of ICT, Tony Doyle, and the answer you’ll get: build and integrate an eCulture system around security - an approach that is not only highly functional and gives him the results he needs, but is also, he is adamant, cheaper, too.

To deal with the level of threat we had, we’ve had to build, and integrate, an e-security culture.

An enterprise firewall security umbrella

Doyle, who also doubles as Blackpool’s Senior Risk Information Officer too, says his current way of meeting his information security targets began with adoption of technology from supplier Fortinet back in 2009, following the damage he saw as a result of the Conficker worm.

Conficker was a real wake-up call for us; we were hit quite badly by that. That’s because it was a multi-vector malware, and made us realise that we needed a more integrated approach to security system around our infrastructure, so that quickly made us want to move away from a point solution approach to security to a more unified threat management one.

Doyle says he is now sure he made the right technology choice when he felt his assets were sufficiently protected during the May 2017 national Wannacry ransomware attack, which he says meant that any Wannacry messages were quickly detected and disallowed from entering the Blackpool network.

As a result of such successes, Blackpool has brought on more and more security technology from the supplier:

The question then increasingly became, how do we build the right fabric to enable us to talk to each other and automate so we can have a much more whole-system approach to security.

But why is this way of working - with one prime supplier, extending your relationship as needed with their products - cost-effective? Doyle expressed it like this for diginomica/government:

We had lots of different security products over the years that worked in isolation from each other. That in itself meant cost - we had multiple licenses, and then we also had to buy into external expertise to manage those different products - all of which meant that we acquired big overhead in terms of being able to stay on top of all those different point solutions.

Getting ready for the next Zero Day Threat

A case in point is the way it is meeting those Prevent needs in the context of many local schools deciding to go down the Academy route, taking them off direct local authority network protection. Doyle says he has managed to create a good enough understanding with his connectivity partner The Networking People that when a new wide area network for Blackpool schools went live in September last year, an umbrella of security protection was also extended over that new virtual domain technology.

That was particularly useful for one of the town’s largest schools needed to prove to external auditors that it had the requisite Prevent structures in place, he says. The issue: the institution faced significant budget challenges and couldn’t really afford to pay for its current filtering solution, and its IT team were concerned there were ways to potentially bypass the filtering service due to pupil IT savvy.

Doyle says he solved the problem by wrapping the school into his enterprise firewall, while also helping to provide proactive alerting to the school’s leadership for any potential child protection and radicalisation issues, throwing in SSL deep packet inspection to identify any inappropriate activity via encrypted services and even upgrading the school’s wifi so any and all ‘guests’ now have to provide personally identifiable information.

A final, and very welcome, benefit out of unifying all his security under one roof: as the Council can group all its networks and infrastructure devices under one overall picture, he says he now can get a much more granular level understanding of the business impact of any network downtime, component event or failure.

And failure - or at least, actors trying very hard to make his kit fail - Doyle very much expects.

Wannacry and Zero Day Threat type problems are going to be more and more a challenge, so we need the ability to have systems that talk to each other and throw up a defence very, very quickly.

I'm not saying we're 100% there yet. But what I'm saying is that by having the kind of security structure we now have and a proactive spectrum we’re getting to the point where we can respond much better to these threats that are all coming so much quicker and faster.