Photo: Robert Bye on Unsplash

Legacy IT as ‘carbon monoxide’: Lessons from Hackney’s cyber-attack

17 May 2021

by Sarah Wray

In October 2020, the London borough of Hackney suffered a serious cyber-attack from which it is still recovering.

Mayor Philip Glanville labelled the hack “morally repugnant” when it hit in the midst of the COVID-19 pandemic.

Matthew Cain, Hackney Council

Systems that underpinned many essential services from payments to application approvals were impacted and in January it was revealed that some stolen data had been published online.

Newer, cloud-based services were unaffected. This has accelerated the council’s shift to the cloud, ushering in a ‘Cloud, unless’ policy to restore services as quickly as possible and build resilience.

As part of CyberUK last week, an online event organised by the National Cyber Security Centre (NCSC), Matthew Cain, Head of Digital, Data and Customer Services at Hackney Council, shared his frank insight into the lessons learned from the incident.

“If I had been listening to these words a year ago, I’d be doing so with a combination of pity and disdain,” Cain said, adding that the story was “one of digital transformation that hadn’t yet finished”.

Prior to the attack, Hackney had already started modernising its infrastructure, including a focus on user-centred design; building capabilities in service design, API development and serverless approaches; adopting a cloud-first policy; and using software as a service (SaaS) wherever appropriate.

“Yet applications were too often dependent on data trapped in a private data centre,” Cain said. “And we’d already learned the hard way that you can only move as fast as the slowest part of your IT.”

Many of the council’s critical business applications were still dependent on legacy software.

He said: “It’s an interesting phrase, isn’t it? Because legacy doesn’t even suggest something necessarily bad,” noting that it’s too easy for an application to seem “too important to tinker with or too big to really confront”.

“What if you were to actually think of those legacy softwares as your organisation’s carbon monoxide?” Cain commented.

Four lessons

He said the cyber-attack changed the way that IT is viewed within the organisation, with a shift from being seen as an “invisible commodity” and a way to achieve efficiencies, to a recognition of its fundamental importance to critical public services.

Organisations can’t afford to view the business and IT as separate, Cain said, noting: “Technology is critical for everything that we do and we need to understand technology as well as we understand how we deliver our services.”

A second lesson was that “cloud changes everything”, with a shift to the cloud touching on areas from procurement, finance and governance to legal and HR.

“The rapid adoption of our ‘Cloud, unless’ policy has enabled us to really think differently about how we’re structured as an IT team, how we express the value that we provide our users and how we work together across the council” to understand the contextual cost of providing a service, Cain said.

The cyber-attack has also been a reminder that “security is everyone’s responsibility,” not just IT’s.

This means providing staff support and training throughout the organisation and developing robust, repeatable processes.

“The better we get at working effectively together, the better we will be at providing a secure environment,” Cain said.

Further, the incident has also underlined the need for continued investment in skills, including an ongoing digital apprenticeship programme.

Cain said that while cloud adoption will enable more automation, it doesn’t take people out of the process but will change roles, interactions and the skills needed.

“People beat technology every time,” Cain commented. “It’s only through highly skilled people that we will recover successfully from the cyber-attack.”

He concluded: “Of course, we wish the cyber-attack hadn’t happened, yet we also knew that it placed on us a huge responsibility not just to recover to where we were in October last year, but to genuinely build back better.”

Image: Robert Bye on Unsplash

  • Reuters Automotive
https://cities-today.com/wp-content/uploads/2023/11/Dawn-crop.png

Technology inclusion goes beyond internet access in LA

  • Reuters Automotive