In this week’s bulletin, Charlie discusses the strengths and weaknesses of Glasgow City Council’s initial communications following a recent cyber attack, highlighting key lessons for crisis and business continuity professionals.
As a business continuity professional, I rather enjoy reviewing the crisis communications from an organisation in the few days after a cyber attack. It provides valuable insights into the organisation and its preparedness for dealing with this type of incident. Is the organisation’s communication professional, empathetic and comprehensive, or is it naïve, insensitive, and superficial? It is obvious they haven’t learned from the mistakes of others. Overall, I think the Glasgow City Council’s (GCC) initial communications on the cyber attack were generally good, and there is a lot of good practice to be found there. However, there are several elements that could be improved and addressed in future communications by others.
The Council had a cyber attack in the early hours of Thursday, 19th June, which impacted their external-facing service which hosted a number of online forms. These services were taken offline and had an impact on “a number of our day-to-day digital and online services”. They made the public aware of the attack on Wednesday, 25 June by posting information about the incident on their website, as well as conducting an interview with their Director of Communication and Governance, Colin Edgar, on STV News.
In my review, I thought I would use the checklist on initial communications best practice from a previous bulletin I wrote comparing M&S and the Co-op’s initial response to their cyber incidents.
The following are my views on GCC’s response:
1. Communicate within an appropriate timeframe.
There have been 6 days between the Council initially finding the breach and informing the public. In the STV interview, Colin Edgar said this was because they had been advised not to inform the public as they were dealing with the breach, seeking to understand it, and didn’t want to alert other hackers to it so they might try to exploit the situation. I think this is a fair reason and the timescale of telling the public gives them enough time to ensure that they are not vulnerable to another attack.
It is now 48 hours since their initial notification and they should update their advice with the latest information.
2. Acknowledge the incident and take responsibility for it at a senior level.
GCC have gone for a high-profile strategy in that they have gone very public in giving out information on the breach and informing the public. Low-profile strategies involve the organisation attempting to disclose as little information as possible about the breach, providing information only if requested or hidden in the depths of their website. Given that public information was lost from Scotland’s largest local authority, their proactive communication to the public on how to protect themselves demonstrated that they are taking their responsibilities seriously and working to protect the victims of the incident.
What has been excellent is their admitting right from the front that they may have lost data. This is so refreshing from the many organisations such as Arnold Clark, which said they hadn’t lost data, only to have to admit later they had, after a newspaper article about finding their data on the dark web. As 94% of ransomware attacks involve the exfiltration of some data, we can reasonably assume, without conducting forensic analysis, that the data has been exfiltrated.
There is a banner on the front of the website which points people to further information. My only slight criticism is it is ‘below the fold,’ meaning that you have to scroll down to see it. This may just be how the website was set up but good practice says that the information should be visible without needing to scroll down to notice it.
Best practice in incident management suggests that incident response is led by the CEO,CE, or the most senior person in the organisation. In this response, they have been conspicuously absent. The website has no name signing off, unlike the Co-op and M&S initial statement, and their Director of Communication and Governance conducted the STV interview. Future communications should be from the CE of the Council, or at least have a quote from her on the incident and that they are taking it seriously.
3. Summarise the situation.
There has been lots of information on the website on the incident and its impact on services the council provides. I have always advocated putting detailed explanations on the website about the incident, as newspapers will pick up the information and then use it in their copy. GCC putting out lots of details has followed this trend. All the newspaper articles I have read are using quotes from the website and there is little other information from other sources. Glasgow City Times managed to find a disgruntled Glasgow resident who complained they couldn’t get their planning application in, but otherwise, in the media, there is very little additional information.
There is no mention of the type of attack and whether it is ransomware, but this is typical in communications on attacks.
During the STV interview, it was mentioned that CGI, which manages GCC’s servers, also hosts online forms for other councils. However, as far as I can see, there has been no further mention of this in the media. Perhaps this is an unfolding story.
I noticed they were very quick to note that “the council’s ICT supplier CGI discovered malicious activity on servers managed by a third-party supplier”. There is a danger in naming third-party suppliers to deflect information and blame from the organisation, as ‘you outsource the activity but not the risk’, and it was your organisation that chose the supplier and monitored their performance. It will be interesting to see how this one plays out – whether the supplier is further mentioned or whether GCC take full responsibility for the event.
4. Provide an explanation of any potential impact on customers, along with actions those affected should take.
GCC has put out good information on the data possibly lost and how people whose data the council hold can protect themselves. They have outlined how members of the public may get calls from people pretending to come from the council and have provided links for reporting possible scam calls and also links to NCSC guidance.
They have also made it very clear which council service has been affected but I think it raises as many questions as it answers. What has happened to the forms that have already been submitted? Are there workarounds? When will the system be up and running? What about submissions before the hack – will they still be processed if they are in the middle of processing?
What is missing is a Q&A which gives details on the impact and answers the obvious questions people need to know about each service. There is nothing on what council services are not affected. I teach that for all the services provided by the council there should be traffic lights saying: not being delivered at all, partially being delivered, and business as normal. When there are red and amber services there could be further information.
On X, there are already people asking if their parking fine is going to double if they don’t pay it on time and they can’t pay on the portal – what should they do? One of the affected services is Certificate Online (births, deaths, marriages) – does this mean you can’t apply for a duplicate birth certificate or you can’t register a death or a marriage? Births, deaths and marriages are emotional times and any impact or possible impact on the service provided by the council is going to add to the stress. It is vitally important to provide people with information, even if it is bad news – you can’t get married – at least people can understand the situation they are in. The Council should, as a matter of urgency, write the Q&A for their service and introduce a traffic light system for the status of their services.
5. Information on a possible data loss.
I think the information on this is comprehensive and shows good practice.
6. Include information on the steps you are taking to deal with the situation.
GCC’s initial communication lacks any indication of improvement and fails to provide a timeline for service restoration. There is also little information on how the council is dealing with the situation, and how hard they are working to deal with it. I know this is a bit trite and I am sure they are working hard, but it doesn’t do any harm in bringing to the public’s attention how all staff are pulling together and working non-stop to manage the situation.
7. Use a tone that reflects empathy, accountability, and emotional intelligence, and is personal to the recipient.
As well as having no senior manager words on the website, the tone to me is too un-empathetic and cold. The apology is half-hearted and appears to have been added as an afterthought. “Glasgow City Council apologises for the anxiety and inconvenience this incident and the necessary response to it will undoubtedly cause.”. Most of the website information can be factual, but some senior manager empathy would improve the response.
Phrases like “may have involved the theft” and “we are operating on the presumption” show uncertainty, which can make GCC look unprepared for the incident. While cautious language is needed, the tone risks sounding vague and defensive.
8. Give information on when updates will be given.
Good practice says that there should be something on the information page about when we can expect an update on the situation, usually at least every 24 hours. Even if the update says they are working on the problem and there is nothing new to report, this is still an update and so I think this should be introduced.
9. Give directions on where to find further information or how to contact the organisation.
Again, good practice would say that there should be information on how to contact the council if you need further information or have a specific query. They may expect people to contact the council through normal channels, but they haven’t explicitly said this and are those channels available. Considerations should be made for a helpline specifically for the incident, to be staffed with additional personnel beyond the normal help desk and communications methods. They should be given the same Q&A as on the website and can update them as new queries come in which have not already been covered.
In conclusion this has been a good initial response, but very quickly the public will be expecting further communication, information and more detailed information. As of Friday lunchtime this hasn’t happened. As we can see from M&S and some of the other local authority hacks such as Hackney, the criticism comes when the impact is long term and services are not quickly restored. I give GCC a solid 7 out of 10 for their initial communications.
