Agenda item

[Charlotte Johns, Director of Strategy, and Jai Ghai, Head of Digital and IT,to jointly present report]

Charlotte Johns, Director of Strategy, introduced the report which sets out the Council’s approach to managing strategic risks around cyber security. The Director of Strategy invited Jai Ghai, Head of Digital and IT, to present the detailed briefing to the panel. 

The Head of Digital and IT advised the panel that the purpose of the briefing paper is to provide information and assurance regarding the strategic risks facing the Council and the private and public sector organisations face in terms of cyber security and ransomware threats.

The Head of Digital and IT highlighted the risk of cyber-attacks during the pandemic and how hackers have taken advantage of the situation which has led to an increase in the number of attacks on public and private data and network services.

The Head of Digital and IT added that in the response to the significant national increase in cyber-attacks the National Cyber Security Centre (NCSC) highlighted the need for public sector organisations to take action to mitigate against the risk of ransomware threats and to raise awareness of the importance of cyber security. The NCSC issued guidelines which highlighted the importance of public sector bodies taking remedial action to protect citizen data and the network and other preventive measures.

The Head of Digital and IT outlined the action taken by the Council to increase local security and to introduce appropriate measures for prevention and remediation, in the event of a cyber-attack.

The Head of Digital and IT commented on the importance of the Council protecting data and as an employer doing what is necessary to make sure that access to the network by employees is always secure regardless of their location.

The Head of Digital and IT reassured the panel that the issues of cyber security is a key priority for the Council and is monitored rigorously through the strategic risk register. The service is also audited on an annual basis for cyber risks by the NCSC. The City of Wolverhampton Council is one of a few Councils nationally that have attained Cyber Essentials Plus certification, which was awarded recently following a review.  The Head of Digital and IT commented that this is an indication of the level of commitment by the service. In addition, the Council also maintains its Public Services Network accreditation which allows the Council to transact and interact securely with the NHS and other public sector organisations.

The Head of Digital and IT commented on the key actions taken to protect the Council from cyber security threats and highlighted the importance of encouraging the workforce to make sure that locking a laptop is good practice in reducing the number of potential threats to the network. 

The Head of Digital and IT commented that any potential threats and ransomware attacks can be identified through the regular monitoring of the network and information is also shared with third party suppliers to further mitigate risks to the Council.

The Head of Digital advised the panel that earlier in the year the service implemented a disaster recovery backup solution with built in resilience to reduce the risk of any disruption to the service or the impact of ransomware attacks.

In addition, there is work planned to increase the capability of the secondary data centre currently held within Staffordshire County Council. There are plans in the future to build a secondary data centre within Wolverhampton. The plan is to make this an active data centre which would mean that employees will not experience any disruption when accessing the network because of an incident.

The Head of Digital and IT outlined the programme of investment in cyber security for the next six to twelve months as detailed in the cybersecurity framework document attached as Appendix 1 of the paper. The Head of Digital and IT added that the focus of the work will be make the infrastructure is robust and that the service is forward thinking enough to protect systems when there is a threat.

The panel thanked for the presenter for the report and members of the team in the work done during the pandemic to support remote working.

The panel queried if there had been an increase in ransomware attacks or malware attacks during the pandemic

The Head of Digital and IT advised the panel that there had been a rise in cyber-attacks during the first national lockdown with attempts made to take advantage of people working remotely, who are often using local connections which can be vulnerable to hackers.  In response to these incidents national government guidance was issued. The Council took remedial action to audit the security of the network from such attacks. The Head of Digital and IT reassured the panel that there is 24/7 monitoring of the network, which is designed to detect suspicious behaviour, for example emails from a supplier in different format. In this situation the incident would be flagged, and the appropriate action taken.

The Head of Digital and IT was confident that the infrastructure was good in terms of detecting and preventing cyber-attacks against the Council.

The panel commented on the importance role of employee’s action in protecting the network from potential cyber-attacks by following guidance and queried the training offered to support this. The Head of Digital and IT commented that the service works closely with the Organisational Development Team and systems are used to monitor and identify suspicious emails and for employees to report incidents. There is also mandatory information governance training for all employees which covers data security. The training material is updated.

The panel queried the security requirements of third-party organisations who want to work with the Council or who the Council shares data with. The Head of Digital and IT commented on the functional and non-functional specifications of contracts which would mean that organisations would not be allowed to do business with the Council without meeting these requirements. The Head of Digital and IT commented on the example of decision to prevent the use of Zoom for remote working during the early stages of the pandemic the platform was considered to be vulnerable to cyber-attacks.  However, when these security concerns were addressed permission was given for employees to use the platform for remote meetings.

The panel asked the Head of Digital and IT to comment on future challenges to the security of the network and plans for mitigating them and reducing the risk of cyber-attacks on the Council network.

The Head of Digital and IT referred to the cybersecurity framework which lists the action planned to keep the network secure and protected in the future. There will also be an annual audit from the National Cyber Security Centre and the Public Services Network planned to take place in 2022. The findings from the two audits will be implemented to further protect the network in response to future challenges.

The panel welcomed the report and noted the progress.

Resolved:

The panel agreed to note the report.