Ruth Luscombe, Assistant Director of Digital and Transformation at Stevenage Borough Council (SBC), gave a presentation updating Members on the current state of Cyber Security across the IT partnership between the Council and SBC.
The internal audit which had been carried out in the financial year of 2018/19 had identified a number of risks and associated management actions. Whilst progress had been made, there were still five outstanding areas to address, of which two were high risk areas:
· Unauthorised devices attempting to connect to IT network (high risk);
· Inappropriate firewall configuration and absence of defined firewall management procedures (high risk);
· Inadequate training on information and cyber security (medium risk);
· Absence of approved cyber security incident management procedures (low/ advisory risk);
· Inadequate monitoring of network activity and network performance (low/ advisory risk).
In relation to the first and final of the outstanding areas, the Council had made progress by implementing the Microsoft Intune based Mobile Device Management (MDM) and Mobile Application Management (MAM) solution. This allowed the remote management of devices connected to the network. All new devices were now registered through this software and full implementation was expected by the end of the third quarter of 2020. Another related outstanding action was the implementation of a network access control mechanism to identify, review and report on devices that had physically connected to the IT network. Procurement for this was ongoing and was expected to be completed by the end of the current financial year.
In relation to the second area, a specification for the replacement of firewalls was in preparation, with procurement planned to be completed by the end of October 2020. There was also work being carried out to document changes to the firewalls, which was anticipated to be completed by the third quarter of 2020.
In relation to the third area, and in particular staff training, the Council had implemented- and was currently testing- a meta-compliance product. This would give the Council the ability, amongst other things, to simulate phishing attacks and identify staff that may be particularly susceptible to these. Targeted training could then be arranged. The creation of an Information Governance Team, which would have responsibility for GDPR and cyber security training, was being sought. The scope and associated resourcing levels required approval from the Council and SBC. The target completion date was November 2020.
In the fourth area, the Council’s Cyber Security Incident Management Protocol was partially completed. After a period of preparation, the Council would engage an external vendor to complete the work. This process had been delayed due to the COVID-19 pandemic, but the Council hoped to complete this by the end of the third quarter of 2020.
The Chairman asked for further details regarding network access control and whether budget restrictions were still a constraint on the IT partnership between the Council and SBC.
The Assistant Director of Digital and Transformation said network access control also related to the in-tuning of devices, and that the Council planned to procure this work externally, alongside other network upgrades. She confirmed that the budget was adequate to address the outstanding areas. The main challenge lay in having the capacity to work through the outstanding actions.
The Chairman referred to the report on General Fund Revenue and Capital Outturn, saying he had noticed that funds for technology services had been carried over from the previous year.
The Assistant Director said she had only been in post since May 2020 and therefore could not speak to any events prior to this, but that the IT strategy had been signed off by both the Council and Stevenage Borough Council (SBC) and this comprised a comprehensive work programme. There had been significant spending on developing the appropriate team to carry out this programme, and the fact that actions had been carried over reflected the complexity of it. There had also been a further delay due to COVID-19 but work was now progressing at pace.
Councillor Ward-Booth asked whether it was considered that there were greater risks to the Council’s Cyber Security with the majority of staff working from home due to the COVID-19 pandemic. He also asked whether there were further security procedures being considered, such as multi-factor identification of staff identity when accessing Council devices and networks, and physical safeguards, for example Council devices being modified to prevent the insertion of USB sticks.
The Assistant Director said there was an increased risk associated with staff using Council devices and networks whilst working from home, although this was a universal consideration, rather than being specific to the Council. The implementation of the virtual desktop which staff used helped to mitigate these risks. These increased risks underlined the importance of the Council’s ongoing work on cyber security. Specifically, multi-factor identification was being considered as an option. However, limited information could be accessed outside of the virtual desktop, which reduced the risk. Ongoing consideration was being given to the risks posed by staff working from home and highlighted potential progress to be made in terms of hardware.
The Deputy Chief Executive said the virtual desktop was exceptionally safe. Only two attempted cyber attacks had been made against the Council in the last six months, both of which had been thwarted. The Council was duty-bound to follow the Government’s guidance on penetration testing, whereby the Council paid third parties to try and gain unauthorised access to systems, so it could make any necessary changes highlighted by this process. Members should be reassured that there was no imminent threat to the Council’s cyber security.
The content of the presentation was noted by the Committee.
RESOLVED – that the presentation be received.