Minutes:
Gareth Lucey from Audit Wales presented this report. This report has been issued to all audited bodies in Wales confidentially. Putting this report into the public domain could lead to an increase in cyber-attacks against public sector bodies, which is undesirable. This is being seen as the beginning of discussion, to inform and educate any further actions. Cyber-attacks are becoming a growing and common threat; there were around 1 million unsuccessful cyber-attacks in the last year alone.
This report is largely survey based. What it shows is a variable picture across the public sector. What we are doing is to consider, from this national report, what can be done locally to take this forward.
The Head of People and Business Change emphasised the confidentiality on this agenda item. He assured the committee that there is no complacency on the part of NCC. As a Council we are in a good position, particularly with SRS as our strategic partners. This is something of daily concern to himself and SRS. This is with regards both to digital services as well as counter-terrorism. The risk is very high to public bodies, both from criminals, organised crime, and terrorism. This is from a digital point of view, as well as a physical location.
The Digital Services Manager explained that this is a significant report. The threat level has increased over the past few years. This is very much a business as usual activity for NCC. There are measures currently in place to mitigate these risks. The team work on significant solutions to prevent the spread of ransom-wear, and further solutions for worst case scenario. There had been a significant incident previously with a travel company, which had a huge impact on their services. In the public sector, Redcar in Cleveland was hit with ransom-wear. The threat is out there and having an impact. The Irish health service has also recently been attacked. NCC is taking specific steps to boost its own protection.
There are technical and non-technical measures in place to reduce risk. We are now in the process of compiling the 9th report regarding information risk. We are aware that this is a real risk, but there are a number of measures to ensure that these risks are mitigated.
Kathryn Beavan-Seymour from SRS explained that 30% of SRS activity is related to preventing risks. Penetration tests are provided by external companies, which provide reports on partner organisations to ensure everything is working properly. There are full anti-virus capabilities, email detection etc. Web-proxy is in place which monitors all internet access to protect against threats. Schools have WG specific process in place to ensure only age specific content is available. SRS have put a tender process together to monitor against defence throughout the organisation- this went out to tender in Feb/March, currently compiling the business case for this to go out to all partners. Recently carried out an internal audit as well.
The Head of People and Business Change reported that a group had recently attended an All-Wales cyber-resilience event, considering business continuity and cyber-attack issues. This is being kept in everyone’s consciousness across Wales. If the attack is of the nature that it can’t be defended against, then recovery is the critical aspect.
Discussion included the following:
· The Chair commented that it is very reassuring that all of these measures are in place. Is there a plan for a local audit in Newport?
o Gareth Lucey from Audit Wales explained that it is currently up for discussion, deciding how best to take this forward.
· Members emphasised that what Kathryn outlined could act as a type of audit. What is the reporting line back to NCC?
o Kathryn Beavan-Seymour explained that SRS report back on a monthly basis to the Newport group.
· Members commented that it is essential to take this seriously. There is no complacency in the officers in this Council.
· Important to note that the Council response is very comprehensive and this issue is taken very seriously by all involved. The Committee appreciate the work being done to achieve this.