Eighty per cent of London councils are at risk of major cyber attack, security experts warn

Ella Wills
Authorities are failing to implement a security protocol to protect their email: PA

Most of London's councils are not protected from cyber attacks, new research has revealed.

Major phishing scams pose a huge risk to 82 per cent of local authorities which have not implemented an email system to keep residents safe, a report by security experts shows.

The public are vulnerable to hackers impersonating government email accounts, according to cloud data intelligence company OnDMARC.

Local government bodies are failing to execute the necessary safeguards to protect their constituents, experts said.

The majority still lack an email authentication protocol, known as DMARC (Domain-based Message Authentication, Reporting and Conformance), which establishes whether emails are fraudulent.

Secure your inbox: Organisations were advised in June to secure their emails to protect customers from attacks (Getty)

Hackers could use convincing fake government emails to trick recipients into sharing personal details or hand over cash.

Just six of the capital's 33 local authorities had implemented DMARC. Four organisations were using the system in 'protection' mode, which means that malicious emails will still be delivered to junk or spam folders, statistics showed.

Two authorities, in Hillingdon and Merton, were set to 'reject' mode, which blocks emails from being sent.

Councils in Hounslow, Hammersmith and Fulham, Waltham Forest and Kensington and Chelsea also use the system.

The Greater London Authority are among those not using the software.

London authorities yet to implement DMARC in protection mode:

  • Bexley Council
  • Bromley London Borough Council
  • Ealing Council
  • Enfield Council
  • Greater London Authority
  • Greenwich Council
  • Hackney London Borough Council
  • Haringey London Borough Council
  • London Borough of Barking & Dagenham
  • London Borough of Barnet
  • London Borough of Brent
  • London Borough of Camden
  • London Borough of Croydon
  • London Borough of Harrow
  • London Borough of Islington
  • London Borough of Lewisham
  • London Borough of Newham
  • London Borough of Redbridge
  • London Borough of Richmond Upon Thames
  • London Borough of Tower Hamlets
  • Royal Borough of Kingston upon Thames
  • Southwark Council
  • Sutton Parish Council
  • The London Borough of Havering
  • The London Borough of Lambeth
  • Wandsworth Borough Council
  • Westminster City Council

DMARC protects customers from someone impersonating a business.

It gives a company or local authority the power to find out details about every service sending emails on behalf on an organisation.

Once the system is set up, emails pass through a security assessment before they are sent out.

Organisations will specify a policy on what to do with emails that fail the assessment - they can either be blocked, or delivered to the customer's junk or spam inbox.

The National Cyber Securtiy Centre (NCSC) recommended in June that authorities implement the email authentication protocol, which is globally acknowledged as the only way to guarantee the legitimacy of email ‘from’ addresses.

Without DMARC in place, there is no way for a recipient of an email allegedly coming from these local government domains to be sure the sender is legitimate.

Phishing is one of the most common forms of cyber threat - 91 per cent of all cyber attacks start as phishing emails, according to research from PhishMe.

Randal Pinto, COO and co-founder of OnDMARC said: “The UK Government has deemed DMARC as an essential step in protecting residents of London against phishing attacks, so it’s disappointing to see so few local authorities in the capital neglecting to shore up their email defences.

“The problem with email is that it was never created as a business tool. It was created to be as simple as possible. Everyone thinks email is secure, but when email is passing through to another server it is not secure.

“You can use someone else’s domain from a high reputation to deliver scams. It can be very specific, so if someone knows that someone is expecting some information to transfer money, they can use run-of-the-mill tools to impersonate the council to get information or a transaction."

Mr Pinto said that local authorities the process to implement government guidance on cyber security should be improved. A digital marketplace called G-Cloud 9 exists to help local authorities buy DMARC services.

He said: “There is open guidance on security, but between that and it making it’s way down to the decision makers, I think that can be improved.

"It’s not clear to us whether every council knows about G-Cloud 9, and that there is a process where they can buy DMARC from suppliers. Some councils have implemented it so the info is making it’s way in, but why it’s not widely used is not clear.

"Everything is available to councils – it’s just the last mile of education and awareness so that they understand the risk and they know where to get the solution from.”

A spokesperson for the Greater London Authority, said: “Cyber security is a top issue for the Mayor and his new Chief Digital Officer, Theo Blackwell, and the GLA has strong protections in place to ensure that its IT systems are not at risk of phishing attacks.

"City Hall is continuing to work closely with the London Digital Security Centre, a venture that is funded by the Mayor, to find ways to improve London’s resilience.”