This report gives an overview of the actions undertaken by the Council’s IT team and its suppliers to protect its network and communication channels.
Veronica Barella (Chief Information Officer) presented the report that gave an overview of actions the Council had taken to reduce its exposure to cyber-security risks. A report went to Cabinet on 9 October 2017 entitled ‘Cyber Threat Remediation’ recommending the following key actions that had since been implemented:
· The introduction of multi-factor authentication
· An enhanced level of Microsoft licensing
· Better monitoring of suspicious login attempts
· A review of file types used to block malicious files
Multi-factor authentication, the use of an associated device or authenticator app to verify identity, had been well received.
The licensing upgrade involved trusted machines and trusted networks which meant the IT department could remove onerous authentication steps for users but keep the same high level of security.
The IT service desk (delivered by Agilisys) monitored suspicious login attempts (e.g. from an unexpected country) and would lock account then contact the user directly to recommend they changed their passwords.
Councillor Rebecca Harvey asked if the system linked accounts to IP addresses. Adrian Dewey (IT Security Manager) said it did – the network addresses for all devices were logged and marked as ‘trusted’.
Veronica Barella noted that one of the key risks was Office 365 because it was cloud-based. Cloud based applications gave greater flexibility (they can be used from most internet connected devices) but presented some additional risks as data was stored outside of the Council.
The Council was also in the process of moving all file-shares to the cloud-based SharePoint Online. IT carried out a risk analysis and identified an issue with users sending sharing links with sensitive data which made it difficult to manage. In response to this, additional controls were put in place for Children’s Services and Adult Social Care – users in those departments can’t send links to anyone outside of their department. This meant they still got many of the benefits of collaboration but couldn’t expose sensitive data to anyone without permission to see it.
Veronica Barella reported that new laptops with Windows 10 and mobile phones had been successfully rolled out to all officers. The previous version of Windows, Windows 7, would no longer being supported by Microsoft from January 2020. Before carrying out the Windows 10 roll-out, IT had their prototype Windows 10 device independently assessed by security experts. They found no critical vulnerabilities and some minor issues which were fixed before the roll-out to staff.
Veronica Barella noted that the Council was due for an updated Public Service Network Certificate in September. The certificate was granted by the Government to enable access to Department for Work and Pensions data. The Council had asked for a six-month extension to the September deadline because of imminent changes to the security patching process. This had been agreed with the Department for Work and Pensions and was considered low risk.
Veronica touched on the Council’s social media accounts and the security around them to prevent unauthorised access that could cause reputational damage. Veronica said she had confirmed with the Communications department that the governance was robust.
Councillor Alex Karmel asked if the roll-out of Windows 10 meant the Council had stopped its ‘bring your own device’ policy. Veronica Barella said all staff had been given a laptop (or tablet / hybrid device) and mobile phone. Many applications that staff used every day weren’t cloud-based so couldn’t be accessed on non-Council machines.
Councillor Karmel asked if there was any facility for off-site working. Veronica said staff could work on Wi-Fi from any location or tether from their phones.
Councillor Karmel asked if the Council used a VPN (Virtual Private Network). Adrian Dewey said it did.
Councillor Karmel asked if any breaches of the Council’s network had been discovered since the migration to Windows 10. Adrian Dewey said there hadn’t been any breaches. Hitesh Jolapara (Strategic Director of Finance and Governance) commented that there had been many attempts to breach the network but there hadn’t been any breaches because of the robust security in place.
Councillor Karmel asked what the cost of the license upgrade had been. Veronica Barella said the licensing cost was £60,000 per year. She added that the Council had to negotiate hard for this price after the supplier on the Government framework tried to significantly increase it after a deal was agreed.
Councillor Matt Thorley asked what training the Council provided to staff around suspicious emails, phishing attempts etc. Veronica Barella said regular messages were sent out to staff warning about particular security issues. If a new phishing attempt was identified engineers could delete the emails from the system backend. It would then send a communication to all users warning them and advising on what to do if they receive something suspicious. Adrian Dewey noted that data security and information management was a mandatory part of the Council’s induction process for new staff.
Councillor Thorley asked if the Council brought in third parties to test its response to these types of attacks. Veronica Barella said they hadn’t to date – it was something that would be considered but the department would have to weigh up the value against the cost.
Councillor Thorley asked how the Council checked the authenticity of invoices and supplier payment details.
Hitesh Jolapara explained that the procurement process had a number of checks built in – a member of staff requisitioned goods, that request had to be approved by their line manager, then they would have to be goods-receipted. Only after all of these steps would a payment be made to the supplier. Auditors also carried out sample checks on a regular basis.
Councillor Thorley asked if the Council went back to the supplier so to confirm their bank details. Hitesh Jolapara said the supplier entered their details themselves when registering and they could check and update the details themselves.
The Chair asked how many users had access to the Council’s social media accounts. Veronica Barella said only the communications team had access.
The Chair asked what the process was when someone in that team left – were the passwords changed? Veronica Barella said she would follow up after the meeting.
ACTION: Veronica Barella
The Chair asked if the cloud-storage used by the Council was UK based. Veronica Barella said the Office 365 storage was currently based within Europe. The IT department were mindful of this issue and it was part of their Brexit contingency planning. All other cloud storage was UK based. The Chair asked if the Council would request Microsoft to move its data to the UK. Veronica said they could.
The Chair asked if the Council knew who was carrying out the attacks on its network and where they were coming from. Adrian Dewey said there were always small-scale random attacks but there were also larger scale, targeted attacks. The Microsoft perimeter slowed many of these attacks. For IT a key issue was getting the message to staff that they shouldn’t use the same password for different accounts because if other sites are compromised it left the Council vulnerable.
The Chair asked if there was a reliable way to encourage staff to generate secure passwords. Adrian Dewey said IT were looking at a corporate password manager solution.
Councillor Matt Thorley asked how the Council mitigated the risks of impersonation – i.e. email addresses with minor misspellings that look legitimate at a glance. Like other organisations the Council made significant decisions over email.
Adrian Dewey said at the moment it was simply a job for the recipient. IT did send communications about the need to validate addresses but there was no technical control.
The Committee noted the successful implementation of the recommendations on cyber-security made to Cabinet in October 2017 and the Council’s ongoing work to improve information security.