CCoE’s multi-sector work to understand cyber risks and needs

Created in 2023, the CCoE is already delivering on its mission to help make the UK the safest place in the world to work and play online. Working with multiple sectors to understand their cyber security requirements and budgets has led to the launch of several support packages designed to increase cyber security. Below we outline the ways the CCoE has been working with small businesses, town and parish councils and local authorities in pilot projects over the last twelve months.  

1. Small Business Protection 

The CCoE has recently launched Small Business Protect, a tailored bespoke package of cyber security solutions designed to meet the needs and budgets of the UK’s small businesses.  

To understand the cyber support needs of small businesses and to ensure it can offer the range of solutions needed at an appropriate price point, the CCoE spent some time with small business owners in Eastbourne, delivering talks and receiving feedback on what small business owners felt they needed.  

Speaking at one of the talks, Kurtis Toy, Chief Executive of the CCoE, stressed that small businesses should not assume they will not be attacked. “The CCoE is trying to make the UK the safest place to live, work and play digitally in the world by making sure that everyone is protected, from large organisations right down small businesses. 

“The cyber problem is growing and is only going to increase with advances in AI. It is very much an evolutionary arms race – we build a bigger defensive wall, and the attackers build a bigger ladder. Do not be fooled into thinking that because you are small organisation or a charity or not-for-profit that you won’t be attacked or targeted. It may not just be financial gain an attacker is after, it could be personal information or information that you hold,” Toy added.  

Christina Ewbank, Chief Executive of Eastbourne Chambers of Commerce, said she is particularly concerned about the number of cyber-attacks on UK businesses at the moment believed to be likely from China and Russia, due to the unpopularity of Britain currently within those areas. While recent attacks have been focused on well-known large retailers, small businesses are far from immune, especially given the stark warning from the criminal gang behind the recent attacks known as DragonForce, which has been reported as saying that they have put ‘UK retailers on a blacklist’.  

“Taking cyber threat seriously is important whether your business is large or small because being unprepared can have a big impact,” Ewbank added.  

Hanna Searle is the Membership Manager of FOUNDRY Eastbourne, a co-working and networking hub for small businesses and individuals where the CCoE’s Kurtis Toy visited and delivered talks to local businesses and the general public. Searle, who attended one of the talks, said she found it quite alarming to hear about the cyber risks face by small businesses. “Even a small business can be at risk without even realising – it was quite alarming. The CCoE is helping make things more simple, such as through its products that give a small business access to everything they need without having to go through everything themselves.” 

One thing that has become clear through its pilot process with small businesses is that time-pressured and budget-conscious small business owners can be easily confused by the amount of information in the public domain about cyber. This can lead to decision fatigue and overwhelm or the temptation to buy expensive tech that offers to solve all the issues. In his talks at FOUNDRY, Toy strongly recommended not falling prey to either approach.  

“We aren’t an organisation recommending you to spend. In fact, there are ten defences small businesses need and seven of those are free – things like strong passwords and having an incident response plan. The CCoE is here to help cut down that noise and give small businesses access to military-grade protection at high-street prices. We encourage small businesses to get in touch with us for a chat and to find out more.” 

 2. Local Authority Protection 

The CCoE has worked with Merthyr Tydfil County Borough Council and Blaby District Council to expand its knowledge of what cyber support and protection is needed in a local authority.  

Blaby District Council has been unique as it decided to greenfield its IT provision by bringing previously outsourced services back in house. As part of this process, the council asked the CCoE for some guidance. It was able to access advice from Kurtis Toy, the CCoE’s Chief Executive who is also a vCISO (Virtual Chief Information Security Officer), to help ensure it was on the right track and covering all aspects of cyber security as the project progressed.  

Mike Connell, IT Business Partner at Blaby District Council, said: “Kurtis, the CCoE’s Chief Executive, was an excellent sounding board. He is aware of the challenges we face as a small team and as a smaller district council but understands that our cyber security needs to be as strong as central government. One of the biggest benefits of engaging with the CCoE was to have that trusted partner to bounce off and to benefit from Kurtis’s knowledge as a vCISO.”  

It also helped relive some of the pressure Connell was under from the extensive task ahead: “Local authorities look at their top IT person for advice but there is quite a lot of pressure in that. The CCoE gives me access to a group of impressive experts with outstanding credentials which I can rely on to help support us.” 

At the start of the process, which is due to complete in the summer of 2025, Toy spoke to Connell about the idea of building a wall of defences brick by brick. This idea replaces the old school method of relying on one or two security products to keep your organisation safe and instead suggests an initial twelve bricks that organisations should consider, in addition to backups, to help make cyber defences as strong as possible.  

These are:  

1. Endpoint Protection 

1. Network Security 

1. Vulnerability Scanning 

1. Training & Awareness 

1. Phishing & Ransomware 

1. 24/7 Monitoring 

1. Compliance & Accreditation 

1. Supply Chain 

1. Data Protection 

1. People & Culture 

1. Response & Recovery 

1. Secure Communications 

Part of the process of continual reassessment of Blaby’s cyber defences will be making use of the annual passive scans provided to all councils free of charge by the CCoE. The passive scan is a non-invasive search of the Internet which looks for misconfigurations, security vulnerabilities and exposed data which could be found by anyone who knows where to look. The CCoE carried out a free report for all 382 UK councils in 2023 and repeated the exercise again in 2024. Connell said the annual checks were very useful and that the council would probably ask the CCoE to undertake additional regular passive scans as a spot check.  

“I am a massive advocate of the passive scan,” says Connell, adding that the best thing about the passive scan was that it was passive and did not add to workload. “Because it is passive it involves no work for us. It gives us a workable action plan which will increase our security stance, but which doesn’t involve work for us to get the list. It is incredibly useful, and I would recommend to everyone to go through that process and make sure they look at the scans.” 

 3. Business Continuity Protection  

Around 25 senior staff from South Staffordshire Council had the opportunity to take part in a full day workshop hosted by the Cyber Centre of Excellence (CCoE) which was designed to check their business continuity plans through a staged ransomware attack simulation.  

Andy Hoare, Assistant Director Business Transformation & Digital Technology
at South Staffordshire Council, said that as an organisation it was very aware of the risks involved with incidents that could affect delivery of services, including fire, flood and cyber-attacks. It also knew that one of the best ways to plan and prepare for such events was though having business continuity plans for each service, a strategy which served them well during the pandemic.  

As an organisation it wanted to test these plans again using cyber as a real-life example. It first brought in a guest speaker in from Gloucester City Council which had experienced a cyber-attack to speak to staff about the impact of an attack on staff and residents. After this, South Staffordshire’s service managers were encouraged to review their business continuity plans. “The leadership team always knew that we were going to do an exercise like the staged ransomware attack, but we wanted to make sure our staff were as prepared as possible,” Hoare explained, “The piece of work that we engaged Kurtis and the team to do was about testing those business continuity plans. It needed to be a real-life scenario, and a ransomware attack was the simplest one which people unfortunately hear about regularly. It was badged as a business continuity workshop because it was, but using cyber to enact those plans.” 

The workshop was designed to simulate a ransomware attack with six stages. Each stage was designed to focus on specific challenges, for example, operational, technical, legal and strategic. Key factors that needed to be considered during each stage included: budget limitations and priorities, time and resources, internal and public communication, governance, policies and practices.   

“Everyone engaged with the workshop day really well. It was designed to bring potential issues to the forefront so that if a real attack did happen, they would be more prepared. The good news was that South Staffordshire is prepared with business continuity plans and that was positive to see,” said Kurtis Toy, Chief Executive of the CCoE. 

Hoare said the day had brought about a lot of learning for everyone who had taken part and the organisation’s business continuity plans would be refined as a result.  

“The biggest learning was that as soon as a cyber-attack hits and you potentially lose access to systems you lose all access to your data. For example, planning applications follow a process and for a few days you can get by, but it is a statutory process with deadlines attached to it, and what the planning team realised was that they would need a list of live applications to work from. We have moved away from printing as an organisation, but we realised that having some things printed is crucial from a business continuity perspective,” he added.  

Hoare said he would recommend any organisation wanting to test their business continuity plans to carry out a simulated incident. “Is it scary – yes. Even if you think you are prepared you can realise that you are not as well prepared as you thought, which can make you feel uneasy. At the same time, if you have done no planning then think what that would feel like.” 

 4. Town and Parish Council Protection  

Alongside the CCoE, Councillor Victor Kelly, Chairman of Penkridge Parish Council in South Staffordshire and Paul Bettison OBE, a Councillor for Sandhurst Town Council in Berkshire, are aiming to help educate fellow parish and town councillors about the risks of not being cyber secure.  

There are currently in the region of 10,000 parish and town councils in England with a total spending power of more than £2bn. Individually there are around 100,000 councillors serving in the town and parishes, often working on computers they have provided themselves or which double-up as devices used in their other day jobs. While town and parish budgets are small, they are not insignificant, and these organisations have supply chain links downwards throughout their communities and upwards to county and central government.  

While town and parish councils seem to have been so far largely protected from cyber attacks to their knowledge, central government devolution plans are likely to put greater responsibilities and budgets into town and parish councils which will make them more attractive cyber-attack targets in the future.  

“We want to highlight through the CCoE that if town and parish councillors don’t have adequate cyber security protections and training then they will open themselves up to GDPR issues and also to being hacked,” explained Cllr Kelly, “A town or parish council being hacked could then open a back door for a more significant attack on a county council or central government.”  

Cllr Kelly believe the majority of town and parish councillors are currently relying on standard anti-virus solutions, and that many are unaware of the dangers of clicking on a phishing link or opening a nefarious attachment. “The majority of parish councillors tend to be older people and might not have as much knowledge so they might click on something they shouldn’t or open or forward something that they don’t realise is suspicious,” added Cllr Kelly, “They know a bit about cyber security, but I think the general feeling is that they don’t think it will happen to them. Councillors and their clerks need to be made aware that they need to be careful and if their systems aren’t secure enough, they are opening themselves up to reputational damage and potentially high recovery costs.”  

Written by Kurtis Toy, CISSP, CEO of the Cyber Centre of Excellence, and CEO and Lead vCISO of Onca Technologies. Edited by Kyle M.