To receive a report from the Executive Director, Resources.
Kieran Murphy, Fay Hammond and Martin Sanders introduced this report.
1. A similar report had gone to a previous meeting of the Audit & Risk Committee. This report has been refreshed and brought back.
2. Kieron Murphy has joined the Local authority this year as the Director of Data, Digital and Technology and his title reflects how important cyber security is. One of the top objectives in this role is to move Enfield’s cyber security and data assurance to a better setting. The Council now has a very clear plan of action against each of the risk items. These have been ranked, including targeting to individuals and to specific dates. All risks will be reported to the Assurance Board to ensure that progress has been made.
3. Since the last report some risks have been addressed; a phishing test (rogue email) in July was sent to test the council’s cyber compliance. This has generated action points amongst them the need for more cyber security training for both public and officers.
4. This report builds on the previous report and considers not just cyber security, but also looks at how we train people and the tools used. The purpose of the report is to recognise some key proposals. The appendix to the report details the types of risks and threats and how the council deals with them.
5. The Council would like to adopt and work towards the National Cyber Security Standards. The key risks will be reviewed through a remediation programme which will be brought back to a future Committee meeting.
6. Security roles are to be bought under the remit of the Director of Data, Digital and Technology, some roles at present are spread across the Council.
7. The reason for this proposal is that there are some existing assurance risks and will always exist because of the use IT and cyber tools. A number of these risks and threats have risen due to the substantial increase in remote working. These increased threats have become more sophisticated and are not perpetrated by individuals but by criminal organisations. The council wants to ensure that the existing tools we have are being used fully and that the processes are robust.
8. The local authority must maintain statutory compliance including everything from taking payments through to how it communicates with other public organisations.
9. There is a need to raise awareness that the Council as a whole is aware of risks and threats and that it has the tools to deal with them.
10.The National Cyber Centre is
promoted by the
Cabinet office and the Local Government Committee. Enfield was not previously using these standards, instead they were using other organisations.
11.Prior to Covid 19, research from companies such as Mimecast had indicated a 140% increase in phishing (clicking on links), email spoofs (pretending there are from somewhere else), ransomware attacks (where you have to pay to release your software).Over 40% of small and medium firms had a security incident in the past year.
12.The Council have had 51 reports in the last quarter, I of these had severe business impacts. This was an attempt to direct payments to a different bank account, which was prevented with no financial loss. There were some medium risks (these have a potential impact but generally people report them) and low risks (things such as what do I do in these cases).
13.There are 50 risks reported most quarters including the lockdown period. As awareness is raised and the training is improved this number may rise as people report more.
14.There is a Cyber Security Risk Register detailed in the report. The risks in the red box are key an example being old applications, from an external supplier these are not compliant with standards and there will be a future strategy to replace them. In the meantime, they will be monitored.
15.We received a report from government in June identifying the impact of Covid 19 and some of the recommended approaches. The Council has tested against this report. The key point highlighted in this report is that more people working remotely on their own networks attaching to the council’s network creates more vulnerability. The amount of remote working across the council has increased from approximately 500 people pre Covid19 to approximately 2.5k people working remotely. This brings an increased exposure to risk.
16.The numbers of staff to deal with increased risks has not been increased so the Council is reviewing the use of the available tools. Increased ransomware attacks are one of the issues that public sector organisations should be most aware of. This is where criminal organisations try and take over organisations and then demand a fee to release the system back. Other examples of threats that we need to be aware of are; phishing, cyber enabled fraud, espionage, and hacking.
17.Some examples of the action that should be undertaken and will be built into our plan are; the need to review the supply chain, including looking at the devices that are coming through our applications; and reviewing local reporting groups that the Council should be a part of.
18.A survey is now being undertaken and will be completed this month to look at how good we are and where are the gaps.
19.The Council has been given some free toolsets which will help measure where we are with our security.
20.Since this report the Council has now joined local digital declaration. This gives as an opportunity to get some funding and some assistance with a number of programmes the Council has. This also means that the local authority is recognised as a leading organisation in the way it deals with security threats.
21.At the end of this month there will be a report on the standards, and this will put to the internal Assurance Board.
22.The cyber security remediation plan will be reviewed and will be part of a continuous improvement plan.
23. A strategic review has been undertaken to ensure that the right people are in the right places, and also moving to report monthly to the Assurance Board.
24.The council is now bringing into business continuity and emergency planning issues such as ransomware attacks and phishing to simulate potential issues as part of this planning.
25.A few achievements over the last quarter to be noted; raised the training and awareness within organisation includer new starters; issued Covid19 and remote worker guidance; now have permanent people in place in the security team and have received funding from LGA to train them. The Council has introduced a number of key security solutions for remote working such as a layer of security during lockdown, additional risk assessments undertaken on social media.
26.All our suppliers must meet security standards. All IT projects assigned against the security standards,
27.Projects being delivered at present; multi factorial identification similar to what banks use. This is being rolled out now and once fully rolled out will reduce the risk of being hacked by 99%
28.The local authority is working to renew the Public Services Network certificate, the government has granted an extension to allow us to work on fixing Covid19 related issues first. By September we should be in a position to reapply for certificate
29.There is one dashboard covering data protection, cybersecurity and information governance.
30.The main considerations for approval by the committee is the adopting of standards, the approval of the cyber security remediation plan, the transfer of the roles into the Director of Data, Digital and Technology, and the acceptance that we are going to need to implement new tools.
31. A report will go to Cabinet in October as part of the restructure. This will show what further investment may or may not be required. At present no further funding is being requested but this may change.
32.The Council needs a piece of software to deanonymize data so that we still remain fully compliant in our audit that we are not deleting information that is sent over. The report can be shared on the breaches at the next report. Officers will confirm with the Director of Law and Governance the element of the report that can be sent out.to the committee.
The following questions were raised:
Q: 84 per cent of IT security budgets have risen do you expect these rising further do we have enough financial support. There is also a recognition that too much data to analyse can be a security inhibitor do we have enough staff, and can we get ahead of the curve with staff numbers as more will be done online?
?A: We do not expect a
high increase as we have already spent the money putting in
monitoring systems and recruiting the additional permanent staff.
In the medium-term financial plan, an additional £350k
was included as staffing growth in 2020/21 and a further
£350k in 2021/22 in order to strengthen the ICT team.
The monitoring software needs to be taken to a new level of
scrutiny now we have the internal staff in place who have replaced
agency staff. There is currently an ICT staffing restructure under
way that will strengthen the Infrastructure and compliance
areas by addressing key security skills, including the
creation of new jobs requiring different skill sets.
Q: How often do we monitor security system?
A: Our tools are in operation 24/7. For example, the we use email monitoring software provided by Mimecast, we monitor our network using software called SolarWinds and we undertake Penetration Testing of our network using a company called CareTower. We monitor security breaches daily and report these monthly and for any major breach or incident an incident report is issued on the day. As we develop our approach, we will be creating a new ICT Security, Information Governance and Data Protection dashboard over the coming two months, this then will be shared with the Assurance Board at every meeting.
Q: In what way do you decide to risk level on the risk register?
A: We use the corporate risk register standards to assess risk – (impact/likelihood) to create risk score that is then banded as high/medium/low.
Q: Numerous studies have shown that it is difficult to deanonymize data what reassurances can you give us. Do we keep a ledger of breaches that can be shared with us even if it is a sample?
?A: The council is alert to its GDPR responsibilities in this area, should there be any breaches, these would be reported to the Information Governance Board and onto the Assurance Board as appropriate. Further, with the multiple systems used by the council and data we hold, this is indeed a challenging area for system testing. The current approach is to manually change any sensitive data by redacting it. In addition, additional software will be needed, to do this automatically.We are looking to invest in data anonymisation tools that can amend or redact data by rules set within the tool, and we use reporting logs that identify changes to data.
i. Recognise and accept the risks and findings in the report
ii. Support the adoption of the NCSC standards and compliance for the organisation
iii. Note the proposal to address the key risks through a Cyber Security remediation programme from June 2020 and for regular updates to this Committee
iv.The movement of SITO and CISO roles to the Director of Digital, Date and Technology