UK councils are under immense pressure today to become more efficient as public funds are squeezed even further. Against this backdrop, it’s perhaps no surprise that councils have found it difficult to maintain best practice IT practices. New FOI data has found that nearly half (46%) of local authorities are still using server software which is no longer supported by Microsoft.
The potential security, compliance, and operational efficiency implications are stark. Councils must act now to improve visibility into their software estate and plan an upgrade path. Delaying the inevitable may save money in the short-term, but it’s a false economy which could soon come back to bite hard.
It’s no secret UK local authorities have had it tough over the past eight years. Austerity measures have led to budget cuts of nearly 50% and left many “in a worrying financial position”, according to a recent Public Accounts Committee (PAC) report. At the same time, there is increased pressure on local authorities’ IT systems as more citizens look to access local government services online and interact with councils in this way, meaning security of online channels becomes even more critical.
Digital transformation such as online portals for citizen services is a positive trend as it will help local authorities save money, drive efficiencies, and improve service delivery – but with little left, in the coffers, it becomes yet another drain on resources. Local councils struggle to afford skilled in-house resources and are often hampered by legacy technology.
Nowhere is the problem more evident than in the server software used to support council IT systems. An FOI request to all London Boroughs, Metropolitan, and County Councils in England, found a quarter (24%) still using Windows Server 2003, and even more (38%) are on SQL Server 2005. Both have long since seen support withdrawn by Microsoft. A further 94% are running Windows Server 2008 and SQL Server 2008 software, which has just two years left of extended support. That would be fine if local authorities could afford the high price of continued extended support, but only 13% are paying on Windows Sever 2008 and 9% on SQL Server 2008.
All of those on Windows Server 2000 and 87% on Windows Server 2003 stated that they would upgrade within a year. But there’s less urgency for later versions of the popular server software. Nearly two-thirds (63%) of respondents said it would take them 1-2 years to move off SQL Server 2008 and Windows Server 2008, while over half (58%) of SQL Server 2005 said the same.
Protecting citizens’ data
What’s the danger of not upgrading? In short, when Microsoft pulls support for a product, it means no more official patches are available for it. That means your servers are effectively exposed to cyber-criminals, hacktivists, script kiddies, and even nation-state hackers. They’re past masters at finding vulnerabilities in out-of-date software which can then be exploited for various ends; Windows Server 2003 currently has nearly 150 known significant vulnerabilities, for example.
Server vulnerabilities could be exploited in attacks targeting lucrative stores of citizen data. Councils hold a wide range of highly sensitive personally identifiable information (PII) which could fetch a high price on the cybercrime underground. They’re also at risk from ransomware-related service outages, a newer threat which is already said to have affected a quarter of councils in the past.
According to one report, UK local authorities have been subject to over 98 million cyber-attack over the past five years — that’s 37 per minute. Given the risks involved, delaying vital server software upgrades simply isn’t an option. Some councils may try to prolong their life by installing third-party security tools, but this is an expensive and short-term solution.
There are also strong compliance pressures facing local authorities. The new GDPR could levy strict penalties on those organisations which fail to follow best practices in data protection. If a council suffers data loss because a vulnerable server has been compromised, the regulator will take a dim view. Failing to upgrade also means councils saddled with legacy IT infrastructure and applications — unable to migrate to the more advanced digital systems which could help them run more efficiently.
A way forward
The FOI data suggests that things are slowly improving, with the prevalence of unsupported server software dropping from 70% in 2016 to 46% this year – but there is still work to do. Council IT teams can reduce their risk exposure with some simple measures, for example, scheduling upgrades in an online calendar. But in the longer term, there needs to be a greater emphasis on visibility.
CTOs and IT decision makers in local government must explore solutions available today that provide real-time insight across the entire software estate so that organisations can have peace-of-mind their software is always up-to-date. Ultimately, inaction is not a sustainable approach – local authorities cannot ignore the risks of running outdated and unpatched software. If a cyber-attack hits home because of negligence, it could cost much more to fix than a software upgrade. The cost of a data breach now stands at an average of £2.7m in the UK. That alone should be food for thought for local government leaders.