Agenda item

Presentation on Cyber Security Measures

Presentation by Khy Perryman, Information Security & Governance Manager.


13.1     The Information Security and Governance Manager gave a presentation on the Council’s cyber security arrangements, including measures to counter ransomware attacks. He outlined that the National Cyber Security Centre (NCSC) had identified ransomware as the number one threat to local government organisations. He gave the example of Redcar and Cleveland Borough Council where a ransomware attack got through to their core IT infrastructure via an older, legacy system which had less protection. This resulted in Redcar and Cleveland Council being unable to access databases and machines, forcing them to close services and initiate business continuity arrangements. The estimated cost of the attack was £10.4 million including damage to IT systems, loss of income, decreases in productivity and the impact on staff.


13.2     The Council constantly monitors cyber security threats and uses a wide range of cyber security measures to protect its systems and information from ransomware. Some of the measures used include:


  • Protective Domain Name Service (PDNS) which is a tool provided by the NCSC to check domains are not linked to malware or other threats when a user clicks on a link or searches for something using an URL (Uniform Resources Locator) or web address.
  • Trusted Platform Module (TPM) microchips are used in new laptops to give added encryption protection and makes them less vulnerable to attack and more resilient.
  • Moving to ‘Always On’ VPN (Virtual Private Network) to enhance security.
  • Increasing the resilience of services by using things such as ‘hot, hot’ data servers for business critical systems to ensure there is no downtime if a back-up server has to take over.
  • Increasing the use of virtualised servers and blade servers to make it easier to take servers off-line and quicker to bring them back online if there is a problem.
  • Continuing to develop shared intelligence through the NCSC Cyber Security Information Sharing Partnership and work with other local authorities. This helps to identify emerging threats and the NCSC can also identify any weaknesses or issues with systems, including third party systems.
  • Collaborative working with our Orbis partners Surrey County Council and Brighton and Hove City Council, sharing lessons learnt and security configurations.
  • Continued development of in-house cyber security staff, including five staff who hold NCSC accreditation which is equivalent to a Masters level degree.
  • Holding three back-ups in two locations with one off-line (3-2-1 rule) to protect against ransomware, which is something NCSC is promoting as best practice.


13.3     The Council is constantly working to improve and maintain its resilience in the event of an attack. It is likely that the Council will be targeted, and this may result in some system downtime. The Team is working with departments and partners to see what the impact of various scenarios would be, and how they would cope with system downtime (e.g. 24 hours downtime, 48 hours down time etc.) to help inform their resilience and business continuity plans.


13.4     The increase in remote working during the pandemic has presented some challenges and the Council has adapted its security posture to take this into account. This has included looking at new tools and systems requested by users centrally to risk assess them and strengthen security.


13.5     The Committee thanked officers for the informative presentation and were reassured and impressed by the measures being taken to protect the Council’s systems and information from cyber security threats. The Committee discussed the presentation and a summary of the points raised is given below.


  • The Committee asked whether all services were now on virtual infrastructure and whether exercises are conducted that rehearse the realistic effect of what would happen in the event of a ransomware attack. The Information Security and Governance Manager responded that the exercises are carried out with departments which rehearse the impact on core IT services such as email and individual departmental systems. This can be from a very minor outage to a major outage with widespread system failure. The majority of infrastructure is now virtualised due to the ease of restoring systems, but some is still provided on non-virtual infrastructure to add resilience.


  • In addition to the 3-2-1 back-ups referred to earlier, there are incremental back-ups and cloud back-ups that capture smaller changes in files that allow reversion to earlier versions of files. The back-up system includes a centralised back-up group which has incremental back-ups, and the two data centres have their own separate storage for resilience as well as an off-line back-up so it is possible to restore systems in the event of the other two back-ups becoming corrupted. The data centres used are Tier 3 which is the highest level of data centre in terms of resilience and security.


  • The Committee enquired whether there were sufficient trained and accredited staff for the Council’s needs and whether staff and councillors working practices posed a risk. The department is seeking to train as many certified staff as needed and checks the NCSC credentials list regularly to ensure all staff have up to date training when new items are added. Digital footprint training is provided to all staff where staff are shown how their footprint affects them, and how to keep themselves and systems secure. This training is run almost every week and is targeted at individuals and their job role in order to cascade the learning though their work life and their use of IT outside work. It is likely that councillors may be targeted by malware because of their role. The Information Security and Governance Manager offered to set up some training sessions for councillors and the Committee agreed that they would be interested in attending this type of training.


  • It was clarified that ESCC does use one of the systems that Cleveland and Redcar Council had when it was attacked, but our system has been maintained up to date and is not legacy, and therefore does not pose a risk. All ESCC systems are regularly updated and patched to fix any known security weaknesses, which alongside regular training, provides some of the most effective measures against cyber attacks.


  • The Committee asked if the Council has warning systems in place that can warn or advise users in the event of an attack. The Information Security and Governance Manager confirmed that the Council has multiple systems for notifying users when there are issues with the systems that they are using.


13.6     The Committee RESOLVED to:

1)    thank officers for the very detailed presentation;

2)    note the presentation and that the Committee is satisfied with the cyber security measures that are in place; and

3)    confirm that no further scrutiny of this topic is necessary at this point in time.