The Governance and Audit Committee
had requested at its meeting on the 26 June 2019 that an update be provided on both the business
continuity and cyber security items included in the Council’s
Strategic Risk Register
Kevin Gibbs, Executive
Director: Delivery provided an update on the Cyber Attack
risk.
The key points covered
included:
- The business
continuity risk underpinned the cyber attack risk.
- All public Local
Authorities were subject to cyber attack, this had been well
publicised with the Lincolnshire attack and the NHS disable a few
years ago.
- There was a high
likelihood of attack, as the authority relied heavily on IT systems
to undertake day to day work. It was
important to do everything possible to keep up to date with system
developments.
- Keeping staff up to
date an aware of issues was very important. For example fishing
emails used to be easy to identify, now they were more crisp and
often could fool electronical systems.
- To help combat and
lower the likelihood of the risk actions that had been undertaken
so far included ensuring that proper security arrangements were in
place an ensuring that staff were trained to a high
standard.
- All staff had
undertaken mandatory GDPR training.
- The Council was a
Member of various government early warning groups.
- Microsoft SCP ATP II License had been acquired for advanced
security on Office 365- Outlook, Office, SharePoint and Teams as
well as security and compliance on all Council data.
- As Microsoft was a
global player, it added a level of assurance.
- The move to cloud was
expected to happen by the end of 2020. The email system had already
moved to Office365.
- The national infrastructure around cyber security
sees the UK as a soft target for attack. The risk appetite
didn’t corollate with the national picture but related to the
local picture and what was happening around us.
- The risk appetite was
what the Council wanted and what could be foreseen.
There was no benchmarking data available to compare the risk
scoring to.
- The appetite score
was low as this is where the Council wanted to aim
towards.
- It was important
steps were taken to make sure that the Council wouldn’t be
impacted.
- The unmitigated risk
had increased due to the sophisticated environment we were living
in.
Kevin Gibbs, Executive
Director: Delivery provided an update on the Business Continuity Management risk.
The key points covered
included:
- The risk appetite had
decreased. The spike in the graph had
been investigated and a review of arrangements was undertaken and
as a result work was undertaken to elevate gaps.
- Service Business
Continuity Liaison Officers and Emergency Planning Liaison Officers
had been identified to work with the Emergency Planning
Unit.
- Brexit monitoring
arrangements have been put in place and action plans were being
developed
- The risk was higher
than in 2016/17, it was thought that the organisational restructure
had caused this increase. The recent increase was due to the
Executive Director instigating a review which highlighted that
continuity plans were not robust.
- Emergency Planning
services were shared through the Joint Emergency Planning Unit
(JEPU), the Councils were looking at continuity across the three
bodies and comparing arrangements.
- The risk had jumped
in Q1 2019/20 and had been reported to CMT in June.
Some members raised concerns
surrounding the term appetite, as it was felt this was confusing
and as the appetite should always be as low as possible.
Officers agreed that the word
appetite was a strange word to use, but another word to use in this
instance was tolerance and for members to look at appetite as how
much tolerance would be acceptable per risk. Officers also
commented that it was unrealistic for there to be no
appetite.
Sally Hendrick, Head of Audit
& Risk Management explained that a risk management review had
been undertaken in 2014 by an external consultant which had needed
to identify appetite within risk management which is why appetite
was included within risk registers. It was important to have a
target of where you want the risk to get down to.
It was requested that the word
appetite be changed to target in future reports, Sally Hendrick
would take this away and clarify what Institute of Risk Management
states.
Member’s commented that
it was important for the public to also be able to understand the
wording within the reports.