Agenda item

To consider a progress report on individual risks identified in the Council’s Strategic Risk Register.

The Committee considered a deep dive into the Strategic Risk “Technology” which included the sub-risks (a) ‘Cyber Threats’, (b) ‘Non-compliance with data protection legislation’ and (c) ‘Inability to undertake business critical activity due to software failures’.

(a)    Cyber Threats

(c)    Inability to undertake business critical activity due to software failures

Mr Tony Doyle, Head of ICT Services, presented an update in relation to sub-risk a and c. He informed members that cyber threats represented the most substantial element of the risk and that even large organisations could not be completely immune from cyber-attacks. Work at the Council therefore focussed on how to reduce the threat posed. As part of this the Council was conducting a pilot programme called “Phish It” which would use new software to identify phishing emails. This pilot would be undertaken with the IT team during July 2023, following which it was planned that the software would be implemented across the Council from September 2023.

It was also reported that the Council had undertaken discussions with Lancaster University regarding the undertaking a ransomware test attack. It was hoped that such a test would allow the Council to assess its response and inform future cyber security planning.

Mr Doyle also reported that the Council had a new cyber security insurer who had outlined the additional help they could provide to the Council to protect against cyber threats. This included regular scanning of the Council’s systems to identify potential weaknesses.

Increased software system resilience was also reported, with HR and payroll being moved to cloud based systems. Mr Doyle added that the contracts with the suppliers of cloud hosting had been written to ensure that the Council maintained control regarding access and authentication.

The Committee discussed safeguards for business critical systems with Mr Doyle explaining that all the Council’s services were encouraged to consider how they would operate without IT systems, including paper based working. It was recognised that in some areas this presented a significant challenge and therefore IT regularly reviewed the safeguards in place. In the event of a significant cyber attack Mr Doyle reported that the Council had two data storage sites, with backed-up power supplies to ensure their operation in the event of attacks on the power system. The Council conducted daily back-ups of its data to the storage sites and IT services regularly conducted exercises on data recovery.

(b)   Non-compliance with data protection legislation

Mr Mark Towers, Director of Governance and Partnerships, presented an update in relation to the sub-risk. He reported that the primary mitigation was undertaken by the Council’s Data Protection Officer (DPO) and their team. This team work to ensure data protection legislation was complied with both at the Council and its wholly-owned companies. In addition to the DPO was responsible for undertaking audits across the Council into data protection compliance in areas where breeches had bene identified. The DPO also regularly reported on data protection issues into meetings of the Corporate Leadership Team to ensure awareness at the highest levels of the Council. He added that a General Data Protection Regulation audit by the Information Commissioners Office had rated the Council “Good”, which had positively demonstrated the mitigation in place.

A key part of data protection work was ensuring staff awareness of the relevant legislation and their responsibilities under it. All staff therefore were required to undertake data protection training as part of their induction, and then undertake refresher sessions throughout the course of their employment at the Council.

The Council had also moved its documents to the Sharepoint system. This software allowed greater control of access to documents ensuring their security.

Mr Towers also informed the Committee that the reporting of breeches had in some cases led to claims being made against the Council from people who believed they had been negatively impacted. Despite this the Council had successfully defended itself against the claims made and it was believed that these successes would help deter future claims being made.

Members discussed data protection training in relation to agency staff contracted at the Council. Mr Doyle explained that the Council had processes in place to restrict the access of agency staff to the Council’s systems, and that their IT accounts would automatically expire at the end of their contracted period. All agency staff were also required to undertake the same data protection training as normally employed staff before they could access Council IT systems. Across the Council it was reported that Cyber Awareness training had a take up of 95%.

It was queried if the work being undertaken and planned would have an effect on the risk rating which was shown as high. Mr Doyle explained that this was unlikely and that the level of risk would remain high as the threat was expected to increase as technology developed, highlighting that Artificial Intelligence would create a significant challenge. The highest area of risk at the Council was reported as payroll, in light of the significant level of financial transactions it was responsible for.

Resolved: That the update be noted.