Agenda item

To receive an update report on Cyber and Technology Security.

Kieran Murphy, Director or Digital, Data & Technology and Martin Sanders, Head of Service Management & Governance introduced the report.

NOTED:

1.    This updated requested by the Chair

2.    The committee is asked to accept the risks and findings in the report and accept the progress that has been made to date.

3.    The key things to note are; where we are with our existing assurance levels; the impact of increased remote working due to Covid and the increase cyber threats to the public sector; successful attacks to other peer organisations; our success at thwarting these attacks and ensuring that everyone is aware of the need for constant change to keep up to date with these attacks; ensure that our existing tools and processes are robust; maintain statutory compliance and ensure that the whole council needs to be aware of increased risks and remain vigilant.

4.    The key threats impacting the council since July 2020 are increases in; Phishing, Email spoofing, Ransomware, Malware, and Distributed Denial of Service.

5.    Hackney Council who deliver the same services and use many of the same applications were victim to a ransomware attack in October. There has not been a formal report into this at present.

6.    Security reporting for the period 1 July 20 to 31 October 20 is detailed in paragraph 12 of the report.

7.    On email security, in the last 4 months the council has undertaken a further review of the monitoring tools used. To give an indication of the level of attacks or potential attacks on average the council sends or receives around 56,000 emails per day and the monitoring tools block around 48% of these emails.

8.    The email review identified that the software and processes work well. It identified that in one month alone 200 malware attacks were identified. From this a series of improvements and remediation will be incorporated into the Cyber Security Remediation Programme.

9.    The risk register will come back to a future meeting of the committee as this is mostly covered within the Cyber Security Remediation Programme that is being delivered.

10.Progress and achievements since the last report are detailed in section 13 of the agenda report.

11.The next stage is to bring in some specialist fixed term roles within the current capacity to deal with new and emerging threats, particularly in light of the Hackney attack to ensure that the council remains as secure as possible.

12.The Cyber Security Remediation Programme is targeting most of its delivery by the end of March 21.

13.The main considerations for the council are detailed in the agenda report.

Questions, comments and queries raised:

·         When the mock cyber-attack is undertaken are staff aware that this is taking place in advance. Officers confirmed that staff are not made aware when a mock cyber-attack takes place.

·         On the Public Services Network Certification is the council on time to meet the work needed by the end of the financial year? The Certification ran out in September 20, but the Cabinet Office have not removed compliance andthe work needed will be completed by December 20 to get this certification for the period that has just gone and the council will be commencing work for the September 2021 certification. These additional elements that have been put on by PSN are as a result of the recent cyber-attacks. This involves improving some of the council’s servers and firewalls, so this enhances improvements.

·         What size is the budget for cyber security compared to the previous year? The budget doubled in terms of investment and is funded through capital and revenue. This has increased due to the need to put in extra software. The increase in the budget reflects that whilst the council were running a campaign once a quarter in the past, the new software being bought in is a more enhanced ransomware software. This gives the ability to run a monthly awareness campaign. The industry suggests that the biggest safeguard for cyber security is awareness through people.

·         Regarding the Business Continuity Plan does this include other companies or partners that the council will work with in the event of an attack. The Business Continuity Plan in terms of how we can move to another office is in place. The Disaster Recovery Plan, identifies all our critical applications, and is which is separate in terms of recovering our systems is part of the council’s Remediation Plan and is in place. There will be a test of ransomware in the first quarter of 2021. There will also be a disaster recovery test which will test the Business Continuity plan.

AGREED to note the report on Cyber & Technology Security