Agenda item
Cyber Security - to follow
Minutes:
John Finch (Information Governance Manager), Peter Honeywell (Transformation Architecture Manager) and Councillor Shayer (Deputy Leader and Cabinet Member for Finance and Economy) presented the Cyber Security report to Members and highlighted the following key points:
(a) |
the threat from cyber-attacks was rising within the public sector with several councils having suffered major attacks in the last three years which has resulted in some cases in the total loss of IT services. There was a major focus within central government and the Local Government Association to ensure that local authorities reduced their exposure to cyber-attacks and have the appropriate business continuity processes in place to reduce the impact;
|
(b) |
the report set out the different scenarios that the Council may face with each scenario assessed for the impact on the Council; the report then covered the action the Council had taken to reduce the impact of the attack; it was considered that there were significant parallels to what was carried out in the commercial world. |
In response to questions raised it was reported that –
(c) |
enterprise grade applications were used by the Council in its cyber security covering monitoring, detection and protection activity; there were many layers of those defences including active detecting software looking at activity in and out of the Council’s estate, trying to identify threats and attacks before they penetrated the device or the services targeted;
|
(d) |
the Council was increasingly moving its software to the Cloud; it was considered that this gave additional cyber security and also offered an opportunity to buy in a different way without the capital investment associated with on premise type solutions;
|
(e) |
an un-editable backup software was adopted by the Council; this meant that physical devices that were used were complex to override therefore creating a way of avoiding some of the threat that ransomware presented to the Council;
|
(f) |
the Council was still using CareFirst for Adults Services and some of Children's Services data. Some of the functionality in Children's data hadn't yet migrated across to the Eclipse programme so that programme would continue for the rest of this year. With regards some of the ransomware attacks that they have received, it was difficult to say what data they had extracted, if any, but there were processes in place to assess the impact, assess what data has been extracted, and then officers would work with children services to minimise the impact on the client. One of the most crucial things about the Council’s data breach management process was the impact that information could have on a client - this impact would be minimised where possible. Moving data records to Eclipse reduced the risk considerably, as it was a cloud hosted service;
|
(g) |
the Information Governance Manager was a member of a regional forum on cybersecurity which had most local authorities in the southwest from Gloucestershire, Dorset, to Cornwall. This forum linked in with a national meeting which was convened on a monthly basis with the National Cybersecurity Centre and various government departments. A lot of cybersecurity and best practice was shared within these forums and several national systems for cyber security were free;
|
(h) |
the Council had learnt valuable information in security mitigation as a result of information shared from other local authority cybersecurity attacks; the Council collaborated as much as possible. The Council had bought into programmes such as the Cyber 360 Programme that was considered to help improve data security. In terms of this programme there was a free consultation on business continuity; the Business Continuity College or Emergency Planning College would be offering assistance to facilitate that; this would normally come at a high cost however was made available because of the Council’s volunteering approach in helping national programmes;
|
(i) |
intelligence pooling from other local authorities was a strong aspect of the Council’s approach in dealing with cybersecurity. The Council had benefited from support from the Department of Culture, Media and Sport with regards to access to agencies to do assessments of our cyber defences;
|
(j) |
the Council had a robust separation of data streams therefore in the event of a cyberattack not all systems would go down at the same point;
|
(k) |
Councillors were encouraged to read and follow good practices associated with the Cyber-security hints, tricks and tips offered to staff in order to protect themselves and the Council's data and systems assets. It was highlighted that the most likely form of attack, was likely to be an email purporting to come from a reputable source, but actually containing something damaging. |
The Committee agreed:
1. |
that the hints and tips advice associated with cyber security is circulated to all Members;
|
2. |
that as part of the Councillor Induction Programme, a specific short session on cybersecurity is included so that new Members are aware of how to be secure both on Council equipment and on using their own personal device;
|
3. |
that a part 2 (private) briefing session is scheduled in the new municipal year (2023/2024) upon cyber security in order to provide Members with a broader understanding of the technical knowledge associated with cyber security;
|
4. |
to note the Cyber Security report. |
Supporting documents: