Agenda item

This report provides an update on Shared Technology Services' (STS) operational performance and progress in implementing the Brent and STS cyber security strategies.

Councillor Conneely welcomed Councillor M Patel, Deputy Leader of the Council and Cabinet Member for Finance, Resources & Reform, to introduce a report from the Corporate Directors for Finance & Resources & Resident Services that provided an update on Shared Technology Services’ (STS) operational performance and progress on the implementation of the Brent and STS cyber security strategies. Fabio Negro, Managing Director of Shared Technology Services, and Rehana Ramesh, Head of Digital Transformation, were present to respond to the Committee’s questions on the report.  The following key points were discussed:

·      The Committee queried if the partnership between Brent and the partner boroughs in the shared service agreement was likely to remain the same going forward. In response, the Committee was advised that for the foreseeable future it was likely to remain the same, however there may be opportunities for other local authorities to join in the future.

·      In response to a Committee query in relation to the types of cyber attacks the Council had received, the Committee was advised that it was not always possible to identify the origin countries of attacks, however they were often from countries with poor internet controls, with many identified to originate from Asia. Brent received approximately 10,000 attempts a day, with most attempts at a low level and likely to be individual efforts, however some attempted attacks appeared to be better resourced and sophisticated; suspected to be state actors.

·      Following a Committee query in relation to benchmarking Brent’s cyber security performance, the Committee was advised that various benchmarking platforms were in place, which included a recent positive peer review with the LGA that focused on the governance of cyber security as well as the processes in place. The team also worked closely with the London Office of Technology and Innovation that had membership with 23 other local authorities. Officers advised that this was a useful platform to seek advice and share best practice with a broad group.

·      In relation to how the organisational leadership incorporated cyber security into the Council’s key strategic objectives, the Committee was advised that the Digital Transformation Team aimed to ensure that, as well as bringing in technology that was secured by design to support cyber security, employees understood the risks faced from cyber security breaches and everyone’s role in preventing them across the organisation.

·      Following a Committee question in relation to the challenges in educating residents about cyber security, the Committee was advised that Brent were leading in the introduction of the use of multi factor authentication for residents accessing online services, and it was felt that residents understood why this was necessary to keep their data secure and were supportive of this.

·      In relation to employees’ and Members’ understanding of their part to play in cyber security, the Committee was advised that there were well established routines in place to ensure everyone understood their role in protecting data. Information Governance training and Member development sessions were routinely carried out to support this. The annual information governance training was being developed further to create bite sized, user friendly sessions for employees, as it was felt this would increase the successful completion rate of the training. Additionally, one to one support was available for any individuals struggling to complete the training independently.

·      Following a Committee query in relation to the delivery of bespoke training using previous examples of data breaches to illustrate how future risks could be mitigated, the Committee was advised that this was included in the annual training. It was also noted that when a data breach was reported a communications campaign would be circulated to include wider information on the lessons learned.

·      The Committee noted that there was no specific hardware that was particularly vulnerable to cyber attacks, with the best defence recognised as appropriate software and educating the individuals using the equipment.

·      The Committee was advised that being part of an IT Shared Service did not create any additional challenges in managing cyber security.

·      The Committee requested further details on the response and recovery plans in place in the event of a significant cyber attack, specifically in relation to how work and operations would be able to continue in the immediate aftermath of an attack. In response, the Committee was assured that Brent had heavily invested in tools to support if such an incident took place and were confident that all information could be recovered as software was in place to recover data from the cloud if access to the Civic Centre was limited. Key services would be given the highest priority to restore, with timescales for recovery of non essential services being ranked on priority.

·      The Committee was advised that regular reviews and exercises were undertaken to test the robustness of Brent’s systems. The process included simulating a cyber attack and documenting the processes that followed to ensure everyone understood their responsibility in managing the issue. Key learning from other local authorities who had experienced cyber attacks had demonstrated that colleague communication as part of the recovery plan had often been overlooked, therefore Brent was keen to ensure that this was an established part of Brent’s recovery plan.

·      The Forum heard that attacks had increasingly been attempted through 3^rd party software providers. The Committee was assured that Brent had the software and expertise to block these attempts, and to reduce future risks, as part of re-procurement of systems, Brent would not enter a contract with any provider that did not meet the high security standards expected.

·      In terms of the investments made in cyber security the Committee was advised that the significant investments made in Brent had supported a number of publishing services and tools to replace and upgrade firewalls to improve performance and stability against threats, as well as ensuring compliance with standards.

As the Committee had no further questions for officers, the Chair expressed thanks on behalf of the Committee for what was felt to be excellent work being undertaken by the Digital Transformation Team and IT Shared Services. The Committee felt the team had demonstrated innovative plans moving forward with robust systems in place. Councillor Conneely moved on to summarise the outcome of the discussion and the additional actions, which were AGREED as follows:

Suggestions for Improvement

(1)      Involve the Committee in testing the Council’s cyber-resilience plans.

(2)      Deliver bespoke (in-person) cyber security training to all members in addition to the standard yearly training provided.

(3)      Improve internal and external communications, sharing more widely good practice studies relating to the Council’s cyber security activities.

Information Requests

(1)      Provide RAG rated version of the Brent Cyber Security Strategy 2022-2026 Implementation Plan for the Committee to understand progress made so far.

(2)      Provide further detail on how the Council is ensuring third party suppliers are adhering to Brent’s cyber security strategy and requirements. This should be inclusive of the findings from the third-party supplier survey currently underway.