Councillor Dann (Cabinet Member for Customer Experience, Sport, Leisure & HR, and OD) and Pete Honeywell (Transformation Architect Manager) delivered the Cyber Risk and Response Briefing and discussed:

a)     Public awareness of cyber threats was growing due to recent significant attacks;

b)    Due to the extensive use of IT resources, cyber attacks posed a significant threat to organisations, including the council, and could disrupt business activities for extended periods of time;

c)     The recent utilisation of Artificial Intelligence (AI) applications by organisations posed further security risks, and work was ongoing within the Council to ensure sufficient protections, due diligence and safeguarding was in place;

d)    Human error was a recognised vulnerability in cyber security. It was important that Councillors and staff completed their necessary training and software updates in a timely manner;

e)     A new security protocol would be launched, requiring staff to update their laptops/computers within 30 days. Failure to comply would result in the devices being locked out.

In response to questions, the Board discussed:

f)      The potential of increased cyber risks for the Council due to Plymouth’s military importance. The data did not indicate a correlation;

g)     Plymouth received security alerts from the Ministry of Housing, Communities and Local Government and the National Security Centre;

h)    When security alerts were received, a specialist team within Delt Shared Services provided an immediate response and carried out appropriate risk assessments and mitigations;

i)      Third party monitoring was undertaken of PCC’s infrastructure to identify potential vulnerabilities;

j)      It was essential that staff and Councillors were trained and aware of cyber security risks, as staff could unintentionally provide access for security threats;

k)     There were some challenges reporting suspicious emails on mobile phones;

l)      The Council’s email defences included a protection against spam. Around half of all emails sent to the Council were deflected as suspected spam and did not reach the end users;

m)   The team worked with Councillors and staff to ensure security was maintained when external applications were required;

n)    Support was provided by the Council to staff and Councillors who fell victim to cyber threats. These events had often proven valuable learning opportunities for the individuals affected, as well as the wider organisation.

The Board agreed to pass a resolution under Section 100A(4) of the Local Government Act 1972 to exclude the press and public from the meeting for the following items of business, on the grounds that they involved the likely disclosure of exempt information as defined in paragraph 3 of Part 1 of Schedule 12A of the Act, as amended by the Freedom of Information Act 2000.

(Please note, there is a confidential part to this minute)

Following a return to Part 1 (Public Meeting), the Board agreed:

1.     To note the briefing;

2.     To request that the Cabinet member worked with the Transformational Architecture Manager to review the process for reporting suspicious/threatening emails across the range of staff electronic devices, to ensure they were consistent and effective;

3.     To request that a written report on the above action was provided to the Scrutiny Management Board when complete;

4.     To endorse the approach that Councillor cyber security policy, including training and security requirements, was delivered in line with that expected of staff.