Devon County Council embeds cyber security into its culture

Serving a county of 1.2 million people in south-west England, for years Devon County Council has been well aware of the growing importance of cyber security to keep its operations running smoothly. The most prudent approach was to move from an on-premises solution to the cloud.

Against a backdrop of more frequent and more damaging security incidents, particularly in the public sector among regional governments, the council proactively took steps to secure their organisation and the people, communities and businesses they serve. They realised it was probably only a matter of time before they’d be targeted by a cybercriminal group intent on encrypting or stealing their data, or both.

More intelligence and greater knowledge of their assets

So, a few years ago they installed Microsoft Defender tools to gain more intelligence about their IT estate and acquire the knowledge they needed to respond to security alerts. However, while all this information was clearly invaluable, it also presented a challenge.

“The ICT strategy at Devon County Council had determined that an enterprise licensing arrangement with Microsoft was the right approach for the authority, with the benefits of Defender’s extensive security tooling being an attractive element of the package,” says Robyn Dennis, Strategic Cyber Security Manager in the Digital & Technology Service at Devon County Council. “With over 5,000 internal staff we knew we needed comprehensive protection in place across the whole organisation.

“However, we also knew we didn’t have the capabilities, knowledge or capacity in-house to handle what we were seeing. We reached out to a couple of suppliers we’d previously worked with to run a Proof-of-Concept (POC) on Microsoft Sentinel to understand it better and consider what the architecture of a Security Operations Centre (SOC) would look like in the long run, and we discovered that a hybrid approach to the SOC would suit us best.”

Previously, the local authority had some out-of-hours security coverage but lacked 24*7 monitoring of their estate, which they knew was the minimum level of security to give them peace of mind every day.

Setting out on the next stage of their journey, they searched for the right partner to protect their organisation, which was when Microsoft suggested they talk to Quorum Cyber.

“We liked their ethos of helping good people win and with their Microsoft-first approach they seemed the right fit,” says Robyn, who has worked tirelessly to raise cyber security awareness in the council’s hierarchy and to convince the senior management and governing board that it should be part of their culture.

Swift onboarding to add a safety net

Onboarding to the Microsoft Sentinel Managed Detection & Response (MDR) service, run by the experienced SOC team, was swiftly achieved before the Christmas 2022 change freeze to give Robyn’s team a safety net and peace of mind during the festive season, which some threat actors see as an opportunity to target organisations whose teams are on annual leave.

“The 24*7 monitoring capability is a real plus point and gives me more assurance that we have the right capabilities in place to manage risks as best we can,” she says. “It frees a lot of our team up to take on other activities.”

In a relatively short time of working alongside Quorum Cyber, she’s happy with the continual improvement, the iterative reviews to assess the council’s security maturity, the guidance to navigate any incidents, and the ease of engaging with the SOC.

“The service gives us a lot more confidence and assurance that our systems are working and that any alerts will be picked up at an early stage,” says Robyn. “It gives us the confidence that we can deliver services to citizens. Our Sentinel and our analytics are being managed by experts in their field. We know that without this service, we’d struggle to recruit the same level of skilled professionals.”

Trust has grown so much that the partnership is now looking to set up delegation of authority so that the SOC team can fine-tune configurations without requesting permission from Robyn’s team on a case-by-case basis, which speeds up improvements to security.

Growing a cyber security culture

“Cyber security is now one of our highest corporate risks and high on the board’s list of priorities. I’m doing a piece of work so that our senior leadership team (SLT) always understands the cyber risks we face. I always tell the SLT about the positive news and the partnership definitely helps me with this. We need to keep progressing and it’s important that we don’t take any steps backwards. I’ve also spent some time telling our cabinet members and our scrutiny board to help them understand our current cyber security posture – what’s good and what’s bad. We’ve been on a journey of internal awareness of why cyber security is important. Years ago there was a perception that it could have been a blocker to operational activities, but we now see it as an enabler in the long term.”

The purpose-built customer dashboard is another plus point for Robyn. “Clarity is brilliant, the detail that goes into the tickets is really useful. I regularly take reports and the dashboard images to our Senior Information Risk Officer (SIRO). The dashboard images give us useful information and we see threat intelligence reports give us advanced warning of zero-days. Knowing that there’s someone in the background threat hunting in our environment gives us extra assurance.”