> series: sector_under_the_microscope —— part: 09/10 —— sector: local_government —— data: citizen_records<span class="cursor-blink">_</span>_
Local councils occupy a uniquely challenging position in the cyber threat landscape. They hold vast quantities of citizen data — council tax records, housing benefit details, social services records, planning applications, electoral roll data — across hundreds of interconnected services. They operate with constrained budgets, legacy IT estates that span decades, and the knowledge that a breach will be reported by the local press and scrutinised by elected members, the ICO, and the public.
This article examines the specific threats facing UK local government, the regulatory framework, and the practical security priorities for organisations that must protect citizen data while delivering public services.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| Framework | Requirement |
|---|---|
| Public Services Network (PSN) | Councils connecting to the PSN must demonstrate compliance with the PSN Code of Connection — which includes annual IT health checks (penetration testing) conducted by a CHECK or CREST-approved provider. Hedgehog Security is approved for PSN IT health checks. |
| UK GDPR | Councils are among the largest processors of personal data in the UK. The ICO actively monitors and enforces GDPR compliance in the public sector — and has issued multiple enforcement notices to councils for inadequate security measures. |
| Cyber Essentials | Cyber Essentials is required for central government contracts and increasingly expected at local government level. Councils also require Cyber Essentials from their suppliers — creating a cascade of certification requirements through the supply chain. |
| NIS Regulations / Cyber Security and Resilience Bill | Councils delivering essential services may fall within scope of NIS regulations and the forthcoming Cyber Security and Resilience Bill — which will strengthen security obligations for public sector organisations. |
Our engagements with local councils and public sector organisations consistently reveal the consequences of decades of underinvestment in IT combined with rapid digital transformation — legacy systems connected to modern cloud platforms, shadow IT proliferating in service departments, and security controls that vary dramatically between different parts of the same organisation.
| Finding | Local Government Context |
|---|---|
| Legacy systems on unsupported platforms | Line-of-business applications running on unsupported operating systems because the vendor has not migrated, the budget does not exist for replacement, or the service dependency makes migration politically difficult. |
| Inconsistent security across departments | IT teams manage core infrastructure, but individual service departments deploy their own SaaS platforms, databases, and tools without IT oversight. Shadow IT in social services, planning, and environmental health creates unmanaged attack surface. |
| Excessive reliance on VPN without segmentation | Remote workers connect via VPN directly to the internal network with no segmentation between services. A compromised home device has the same network access as a hardened office workstation. |
| Weak Active Directory hygiene | AD environments that have grown organically over fifteen or twenty years — nested groups, orphaned accounts, overprivileged service accounts, and group policies that conflict with each other. Internal testing consistently reveals rapid paths to domain compromise. |
For local councils, we recommend starting with the PSN IT health check (if PSN-connected) combined with an internal infrastructure test that focuses on Active Directory security and network segmentation. Complement this with Cyber Essentials certification and ongoing monitoring through SOC in a Box for Local Government.
The combination of annual penetration testing, Cyber Essentials certification, and continuous SOC monitoring provides a defensible security posture that satisfies PSN requirements, demonstrates GDPR compliance to the ICO, and — most importantly — protects citizen data from the threats that have already devastated other councils.
In the final article of this series, we examine the defence and engineering supply chain — the sector where Cyber Essentials Plus is not optional, where DEFCON standards apply, and where the threat actors are nation-states with unlimited budgets and patience.
We deliver PSN IT health checks, <a href="/penetration-testing/infrastructure">infrastructure penetration testing</a>, and <a href="/cyber-essentials">Cyber Essentials certification</a> for local councils and public sector organisations. Our reports satisfy PSN Code of Connection requirements and our testing methodology accounts for the unique constraints of public sector IT environments.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call