Agenda item

Pre-decision Scrutiny

·        To select appropriate items from the Cabinet (Policy and Resources) Sub agenda for pre-decision scrutiny (cabinet reports enclosed for Scrutiny Members)


Neath Port Talbot Cyber Security Strategy Update 2024


Following scrutiny, the recommendation was supported to Cabinet.



Neath Port Talbot Cyber Security Strategy Update 2024


Chris Owen Chief Digital Officer introduced the Neath Port Talbot Cyber Security Strategy Update 2024 report.


Members welcomed the progress against the actions in the strategy.


Members noted that a range of measures have been put in place to protect the organisation over the years in terms of cyber security, but that has also created a more complex system. Members asked if the growing risks of user error and maintenance of this complex and interconnected system has been considered?


Officers outlined how digital platforms underpin the delivery of the majority of council services. Members were advised that extensive work has been undertaken to documents the interdependencies between the systems, how they operate, and how the service areas consume those services.


Through their Disaster Recovery and Business Continuity plans, Digital Services has documented ‘playbooks’ which outline how to recover services in the event of an outage, which includes timelines to restore the service .


Members were advised that service areas need to understand these timelines and put them into their business continuity plans, so they will know how long they would be without that service. Service areas need to understand what the implications are of any digital service being down to their service and how they would need to operate in that situation. Officers have started work with the emergency planning team to engage with the service areas.


Members asked how officers would mitigate the extent of the systems going down, for example if email goes down for the entire organisation.


Officers advised that a lot of time and effort has been invested to review the critical systems and categorised them in terms of major services and they have playbooks in place for each one. If one of those services goes down, digital services have the playbook to know who needs to be available, what the action plan is and what the communications need to be so they be best prepared if a service goes down.


Officers advised that they have built the services to meet the Neath Port Talbot digital services standards.  These standards make sure there are no single points of failure and that there is full redundancy in place. Officers stated that they are using ‘cloud first’ as a new approach (where possible) rather than the on-premises data centre which inherently has a single point of failure within it. This is to make sure that the redundancy is there as part of the design.


Officers noted that there was a recent issue caused by a third-party organisation. Officers advised that there was very good internal communication as soon as the incident happened in-which notifications were sent out and they mobilised staff across all the civic centres to try and get through the backlog as quickly as possible.


Officers noted that while they wouldn’t want that incident to happen again, they have additional processes and steps in place with the third parties to mitigate a recurrence. Officers are aware that they can’t fully trust their third party suppliers as errors are possible as seen in the incident recently, however Officers have learned and evolved from these issues and mitigate as they move forward.


Members referred to the business continuity plans and asked who is overseeing those to make sure they are consistent in making and updating these plans.


Officers advised that they have linked in with the emergency planning team to get the oversight as they have the contingency responsibility and are working through that with service areas.


The Chair advised that the response to the IT incident was excellent and commended the officers for the report.


Members asked about the staffing arrangements for monitoring the system.


Officers advised that there is a cyber security team who monitor the system and they look at all the platforms and services that protect the network. These officers look through the log files for any flags of suspect activity and dealing with incidents as they arise, such as, phishing attacks where people have clicked on links by accident and making sure there is no ransomware on their machine.


Within that team there are 6 people, and they don’t just focus on the cyber security they also do several other operations, they are essentially the gatekeepers to policies and patch management.


Members asked about informing officers about travelling abroad with Council equipment and if there can be a single point of contact to tell officers about this.


Officers advised that the geolocation hasn't been fully functioning and they will be putting a new policy in place.  There will be a corresponding process to follow when users are going abroad, so members can inform service desk and they will process the request so they can relax the restrictions during the period members are away and then retighten them when they return.


Members asked if there was a training programme for regular refreshing of knowledge.


Officers advised that staff have a 2 yearly mandatory GDPR information and security training. For members, officers are engaging with Welsh Government on training such as Cyber ninjas training which will be more of a rolling programme.


Members noted that Leicester County Council had an IT attack recently and asked if anything had been learned from that. Officers advised that when there is an attack on any public body the National Cyber Security Centre run point and would be doing so in conjunction with Leicester County Borough Council. Members were advised that as the National Cyber Security Centre learn what has happened and find any vulnerabilities, this information will be sent out to all local authorities so they can check their own systems. The local government network shares everything so they can protect themselves.


Members asked about phishing emails and if there has been any work done on that. Members were informed that the authority have linked up with an organisation called ‘Bobs Phishing Emails’ who send a spoof phishing email to a selection of people and then they monitor who clicks on the link and records who needs training or support on this. With training and educational awareness officers are trying to mitigate issues with phishing.


Following scrutiny, the recommendation was supported to Cabinet.