The Service Director IT will submit a report outlining the current position in relation to the number of information security breaches and cyber incidents which have been reported and investigated during Quarter 3 (1st October to 31st December, 2017).
The Service Director IT submitted a report providing details of the Council’s position in relation to the number of information security breaches and cyber incidents that had been reported and investigated during Quarter 3 of the 2017/18 financial year.
The report which was the third submitted in accordance with the recently revised Audit Committee Terms of Reference and Work Programme was presented by Mr D Robinson (Service Director IT).
· in relation to Information Security Incidents
o There had been 43 incidents reported of which 3 involved a third party (school, system provider or other local authority). After investigation 11 had been found to be unsubstantiated and 6 were undergoing further investigation
o 17 incidents had been recorded as Actual Breaches of the Data Protection Act and 12 were recorded as Weaknesses that could have caused risk to the Council
o The report in categorising the incidents by Service and by type indicated that the most frequently occurring were those disclosed in error – emails sent to the wrong recipient/incorrect recipients copied in/not using encryption etc
o A summary of the lessons learned and action taken was provided and it was noted that the Information Governance Board and Service Directors continued to support the Information Governance Team with the investigation and resolution of incidents
· in relation to Cyber incidents
o 609 incidents had been reported which was a considerable increase from the previous quarter. Of those
§ 223 had been reviewed an no further action taken
§ 336 were real phishing emails with the sender being blocked
§ 7 attacks had been successful and remedial action had been taken
§ 43 others had been referred to the security team for advice and had been resolved
o There had been a significant increase in the number of phishing emails but because of the training courses and awareness sessions being delivered these were now being recognised as such. A number of incidents had targeted Council employees with malicious invoice payments and email addresses from partners and also from the council itself (using spoofed addresses) so that they appeared genuine
o The tender for cyber security defences was nearing the final stages prior to the awarding of contracts and it was hoped that once installed, there would be a positive impact on the incident figures
o Due to the concerning trend emerging within quarter 3, the training element of the Security tender would prove invaluable in terms of educating users as a good line of defence. In addition, IT Services were working with the Communications Team on a plan to internally raise awareness for a number of security issues.
In response to questioning, the following matters were raised:
· It was noted that a recent email to Elected Members had been sent in error and this matter had been addressed
· There was a discussion as to where phishing emails originated from and of the difficulties in preventing them from being received. Improved awareness of staff and improved security arrangements was having a positive effect in reducing the impact of such emails
· The request in relation to the use of MSN messaging particularly in relation to residents contacting Elected Members could be investigated
· It was reported that any lost or stolen hardware could not be used to gain access to the Council’s network as such hardware was always encrypted
· Discussions would be held with the HR Service in relation to ‘repeat’ offenders who perpetually broke IT procedures and thereby ‘threatened’ the Council’s IT infrastructure. The Head of Internal Audit and Corporate Anti-Fraud informed the Committee that a report was due to be submitted to the Information Governance Board tomorrow which addressed these types of issues. It was hoped that digital skills would be an essential element of any recruitment process in the future
· In response to specific questioning, the Executive Director Core Services explained his role as Senior Information Risk Owner and his work at a strategic level with the Head of ICT, the Service Director IT and the Information Governance Team together with the developing work and role in relation to the General Data Protection Regulations (Minute 55 refers)
RESOLVED that the report be received and Mr D Robinson be thanked for attending the meeting and for answering Members questions.