Agenda item

To provide an update in relation to the actions being taken to reduce cyber risks.

The Committee considered a report in relation to the actions being taken to reduce cyber risks within the Council. The report was presented by Mr Doyle, Head of ICT Services.

Mr Doyle spoke in relation to the content of the report. He began by explaining that cyber attack was now one of the top five threats to the Gross Domestic Product of all the UK’s major cities. The threat of cyber attack was now greater than it had ever been. To mitigate against the risk, the Council had now taken out insurance as a means of protection, as well as undertaking a number of pro-active initiatives to help minimise the risk of attack. These included:

·         Purchasing leading network and security systems from world class vendors.

·         A partnership with Lancaster University based TNP (The Networking People) who supported the Council in configuring and managing network and security systems.

·         Regular Ethical Hacking/Penetration Tests by highly qualified external experts NTA Monitor, who are accredited under the CHECK system by the Communications-Electronics Security Group, part of Government Communications Headquarters to detect and report on vulnerabilities.

·         Compliance with the Cabinet Office's Public Services Network Code of Connection, a security assessment and standard which included an externally assessed Annual IT Health Check to confirm the Local Authority could be trusted to share and handle information securely with other public bodies.

·         Compliance with the Payment Card Industry Data Security Standard to ensure the Council was trusted to process its large number of credit and debit card transactions.

·         Compliance with the NHS N3 Information Governance Toolkit to ensure the Local Authority could be trusted to share and handle information securely with other NHS bodies.

Mr Doyle went on to explain the top three known cyber threats to the Council and its user community, as follows:

Email – This was explained as the greatest threat and vulnerability. The Council received approximately half a million emails on a typical day. 485,000 of these emails were filtered out with approximately only 15,000 being legitimate emails.

Ransomware – It was explained that some of the zero day threat emails were designed to encourage email users to download a ransomware payload. Ransomware was designed to encrypt the files on the device and the network it sits on. In order to regain access to the files the ransomware demands the victim to pay a ransom. The longer the victim leaves it to pay the ransom, the higher the ransom goes. The only way to recover from a ransomware attack without paying a ransom was to ensure a secure backup of the data was in place before it was encrypted. It was reported that last year Lincolnshire County Council had to shut down all of its computer systems for four days to recover from a ransomware attack.

Password Security - Just before Christmas it was reported that the Internet giant Yahoo was hacked with over one billion customer account details including passwords being stolen.

The Council regularly requires users to reset complex passwords every 90 days and for external access from the Internet it required some form of two factor authentication. This mitigates the risk to some degree. However, it was always possible there were users who may have broken the ICT Security Policy and stored some Council data outside of the Council's security systems. Potentially such data could become vulnerable if a user's password was compromised in the Yahoo attack and same password was being used for other accounts.

Mr Doyle concluded his report by explaining the ICT staff turnover rate and current cyber skills. In October 2016, the Audit Committee had asked about the turnover of ICT Staff and whether the suitable people were in place. It was reported that during the last 12 months, there had been a turnover of six employees who succeeded in gaining higher salaries with other employers in the North West.

The Committee was reminded that the IT and digital industries continued to grow at unprecedented rates and it was not unusual for good quality employees to move on quickly and gain promotion. In the current austere environment, it remained a challenge for the public sector to retain skilled and talented IT staff due to the current pay restraints. In particular, employees with cyber skills were in very high demand. Mr Doyle explained that the main way the Council had mitigated against this risk was through the partnership with TNP at Lancaster University. TNP specialised in networking and security and in many ways were better placed than the Council to attract talented cyber security and network specialists.

The Committee was informed that alongside TNP the Council did have a number of in-house experienced members of the IT team who understood the requirements to build and maintain compliant and secure IT systems.

Mr Doyle responded to a number of questions from the Committee. Members acknowledged the ICT security training that was given to all office based Council staff, but pointed out that this was not a requirement for elected members. Mr Doyle explained that cyber awareness training had been offered to Councillors prior to a meeting of full Council in 2016 but the take up had been low. The Committee agreed that the training should form part of the mandatory induction process for Councillors and Mr Doyle agreed to follow this up by way of a recommendation from the Committee.

In connection with staff turnover and recruiting people with the desirable skill sets, Mr Doyle explained that the Council had been successful in recruiting new employees. He acknowledged that more expertise would always be desirable, although the partnership arrangement with TNP had assisted considerably.

Members asked about the insurance that the Council had taken out against a cyber attack and the levels of confidence that the safeguards in place were such that in the event of a claim, it would not be refused. Mr Doyle explained that confidence levels were high as a result of the due-diligence checks that had to be undertaken before the risk was taken on. Mr Doyle was also asked about the possibility of the Council falling victim to an attack similar to that in Lincolnshire which disabled the Council’s systems for four days. He explained that whilst it was not impossible for it to happen, the measures that Blackpool had in place would hopefully mitigate against such an attack as far as possible.

In relation to succession planning, the Committee asked whether any attempts had been made to recruit local staff. Mr Doyle explained that TNP had staff on their workforce from the Fylde Coast and that the Council was conscious of the social value obtained from the partnership.

Asked about IT penetration testing, Mr Doyle confirmed that this formed part of the audit process. As part of this, test e-mails would be sent out to determine the levels of risk and to identify where training would need to be directed.

On the subject of shared server space with other organisations, Mr Doyle explained the shared arrangements that were in place with the NHS and the similar compliance framework that existed across each organisation. He also explained the cross auditing processes that were in place.

The Committee agreed:

1.      To note the report.

2.      To recommend that ICT security training becomes part of the mandatory training process for all elected members.

Background papers: None.