Minutes:
The Committee received a presentation from Head of ICT and the Chief Internal Auditor and Corporate Fraud Manager that highlighted:-
· It’s an arms race – continual battle and not something that could be fixed
· Hacked – real problem and big money for ransomware companies. E-mail scams netted 3m euros last year.
· Cyber Risk – Drivers
o Technology Expansion – new technology everyday all vulnerable to risk
o Data Growth
o Evolving Business Models – state sponsored hacking
o Motivated Attackers – people work globally
· Principles of Cyber Defence
o Secure configuration
o Boundary firewalls and internet gateways – attempted hacks on a weekly basis were 2.7m and one third of all e-mails had malicious content
o Access control and administrative privilege management
o Patch management
o Malware protection
· What we are doing –
o Physical security data centres – highly controlled
o Firewalls - prevent internet traffic in and out of the system
o Anti-virus – looks for specific packages
o Spam filters – try to filter most out
o Dual factor - authentication
o Whitelisting – hardware & software – specific about what is allowed on network
o Training and communication – continually train and communicate anything at all suspicious and not to open or download if unsure
· Internal Audit Helps – assurance over ICT controls
o Key questions are:
o Does the organisation use a security framework? PSN and PCI used
o What are the high risks to the organisation related to cybersecurity e.g. Cloud Computing, Outsourced Business Critical Systems, Disaster Recovery and Business Continuity, Periodic Access Reviews and Log Reviews.
o How are employees made aware of their role related to cybersecurity? – mandatory training, regional sessions, articles in staff magazines and e-mails.
· Internal Audits
o Access Controls
o Physical Security
o Internet Security
o Infrastructure/Network Management
o Mobile Computing
o Windows Operating System
o Security Incident Management
o ICT Purchasing
o Systems Development and Maintenance
o Third Party Access
o Business Continuity Planning
o ICT Asset Management
o ICT Risk Management
· Take away thoughts –
o We must be prepared NOW not as a reaction to a Cyber Incident
o Presume we are already breached or vulnerable
o Think about it holistically – it is not just about penetration testing and firewalls
o Get assurance. Use frameworks to assist but not define
The Chairman invited Mr Akdemir to ask a question. He informed the Committee that he was studying cyber-crime on an individual level and said that crime surveys had showed high levels of association with victimisation. He said that the Complaint Centre for cyber incidents had reported a number of people who had experienced a loss of money whilst trying to access the Government’s website due to hoaxes. He asked if the Council protected people against such scams. The Head of ICT advised that the Council do filter any malicious content and advised employees not to open suspicious e-mails and send to a ‘spam’ e-mail address or to contact the ICT helpdesk.
Mr Akdemir asked if awareness had been increased for employees, especially when dealing with vulnerable younger and elderly people. The Head of ICT advised that employees received mandatory training and that peer to peer training takes place within schools.
Councillor Davinson asked if there were specific risks when people were using mobile devices and was informed that data traffic from the Council’s system to your device would feature dual log in identification as protection. He further asked how this was tackled in schools, in particular through their VLE systems. He was aware that a school child had recently been suspended for hacking in the school’s computer system. The Head of ICT said that the school based technology was vulnerable and that the Council did offer advice and support to them. He added that a lot of children try to hack just to see if they could do it. The ICT team had given training to a pupil recently to show him the repercussions of what he had done after hacking a schools system.
The Chairman thanked the Head of ICT and the Chief Internal Auditor and Corporate Fraud Manager for their information presentation.
Councillor Davinson suggested that this information be taken to an Overview and Scrutiny Committee.
Resolved:
That the content of the presentation be noted.