Agenda item

[Report to Follow]

The Board welcomed Gail Rider, Head of ICT to the meeting.

The Director of Governance who was the Senior Information Risk Owner (SIRO) had recommended a report be presented to Scrutiny Board to provide an overview and understanding of how Cyber security was managed within the authority. The report included information on the robustness of processes and preventative measures that were in place, an overview of the authorities’ cloud storage approach and the on-going roadmap that assured constant and up to date approaches to new threats and challenges.

It was stated that the Council was a Microsoft partner which meant that any processes were supportive and progressive.

The Council adopted a cloud first approach, but this wasn’t always an option as some applications were not be cloud ready. The cloud was provided by Microsoft, which was one of the most secure and the Council only paid for what it used. There was a secondary data centre in Stafford and a proportion of what the Council run was replicated there.

The Council took a very preventative approach to cyber security and it was stated that there had been four attempted attacks since Christmas, all of which had been stopped.

It was confirmed that the Council did apply patches regularly and was continuously updating firewalls and antivirus software whilst also working closely with partners including the Information Governance team.

The Council’s cyber security had been assessed and once deemed to be one of the safest in the region.

The Board queried the use of multiple and often very complex passwords and it was confirmed that the Council’s password policy was currently under review and that the team were aware that it could not be overly secure as this might make it harder for people to use the services on offer.

The Board considered the issue of the phishing campaigns that had been carried out by Information Governance. The first had been carried out in October 2017 with 608 emails being opened and 500 employees attempting to click on link. The more recent exercise had resulted in 93% of emails not being opened and only 4% attempted to click on the link.

The question was raised as to what were the big-ticket issues that could really cause problems if we got them wrong such as a sustained denial of service attack (if services went down for a long time), the safeguarding of data or problems with the urban traffic control centre for the black country including the threat of hostile actors trying to take it down.

It was stated that the Council was looking at every single service it had and every application including where it sat, how it was backed up and how it was secured. The Head of ICT stated that she had managed to obtain match funding to put in additional controls. The Head of ICT stated that in relation to the Urban Traffic Control System she would expect that this was replicated in Stafford with the servers based here.

It was noted that the Urban Traffic Control System worked off a mobile network and the question was raised as to whether this could be interfered with. The Head of ICT stated that she would investigate this and provide a response later. 

The Board raised the issue of interfering with as well as stealing data. Data sharing was becoming more important, with organisations such as the Fire Authority working with the police and possible funding from the government being provided to create a data hub.

Also, of concern were areas such as the linking of internet-based devises such as when your doorbell rang and can you could see who was there on your phone.  The concern focused around the fact that security had not always been built into the systems within the systems.

The Board considered flood risk defences and whether they could provide a backdoor into higher level systems. It was thought that the Council needed to be aware of where it set the levels of what was allowed on everything and that nothing should be allowed onto the network until the Council were certain that it was as safe as it could be.

The Board queried how the Council monitored the people that had access to information and how it would manage a disgruntled employee with access to sensitive data.

The Head of ICT stated that the Council had to have trust in employees but that where a department was perhaps going through a restructure certain rights may be removed from certain individuals if there was deemed to be a risk. 

The Board considered what the cost to the Council would be if there was a major cyber attack including all the legal implications linked to breaches of data protection regulations.

The Board considered that as councillors, they were all now responsible for the data they held and that they needed to be more focused on the issues.

The Board queried how cyber security linked into emergency planning and resilience.  It was stated that the Council’s ICT team worked very closely with the Emergency Planning and Resilience Team and that the work currently being undertaken would produce a report highlighting any gaps and options for fixing them.

The Head of Governance stated that every service in the Council had a business continuity plan and that turnaround times had been identified with the resilience team. Levels of priority had also been identified and had all been refreshed in the last month.

The Board considered that as councillors, they took on a lot of case work and the this made them data controllers and responsible for the data they held on residents. It was noted that everyone had different ways of dealing with this data and different hardware with different levels of security and it as queried whether a cloud-based solution could be put in place for councillor casework.

The Head of ICT stated that any casework carried out on Council supplied equipment would be secure and that she could investigate the possibility of a home devise and cloud storage.

The Board also sought information on data sharing as some people might be doing things that were not safe without realising that they were not safe. It was recommended that this be brought back to a future meeting.

The issue was raised that the majority of breaches were not caused by people disobeying the rules on purpose but by human carelessness, connecting the wrong things to the wrong thing etc. The recommendation was made that the cyber security training and monitoring of who had done the training be looked at to perhaps restrict access to the Council network to those who had not recently completed the training.

It was also recommended that an item on cyber security be added to the work plan for the next year. 

Resolved:    (1)      That an item on cyber security be added to the scrutiny work programme;

(2)      That the Head of ICT investigate the possibility of linking mandatory cyber security training with access to the Council’s networks;

(3)      That the Head of ICT investigate the possibility of a cloud-based solution for councillor casework;

(4)      That the Head of ICT investigate the matter of the Urban Traffic Control System and the risks associated with it.