Issue - meetings

Meeting: 10/11/2022 - Climate and City Resilience Committee (Item 5)

Cyber Security Risk update, Presentation, Paul Gribben

Minutes:

            The Chair welcomed Mr. Paul Gribben, Head of Digital Services to the Committee.  The Head of Digital Services opened his presentation by giving the Committee the background to cyber risk.  He said that BCC was facing a growing cyber threat that would have severe organisational impacts.  Due to fast changing network architectures, rise in flexible working, many more devices connecting outside corporate network, growing use of personal devices, growing use of Cloud services, increase in data sharing with other organisations, huge jumps in the number of phishing attempts and concentrated scans of our network.  He explained that cyber security was the Council’s most critical risk.  Consequently they had to become much more rigorous about the security controls they applied and there would be a greater role for Chief Officers and Elected Members around the ownership and accountability of this risk.

 

            He went on to outline a number of alarming facts as detailed below:

 

1.     The average time to identify a breach in 2020 was 207 days

 

2.     And the average lifecycle of a breach was 280 days from identification to containment – (Hackney Council - £12M – Data Leaked)

 

3.     The main attacks were – Ransomware; Phishing, 3rd Party Account Compromise, Denial of Service and mis-configuration

 

4.     Human intelligence was the best defence against phishing attacks

 

5.     95% of cybersecurity breaches were due to human error

 

6.     Over 77% of organisations didn’t have a Cyber Security Incident Response plan

 

7.     ***Total cost for cybercrime committed globally - $6 trillion 2021

 

            The Head of Digital Services went on to outline to the Committee the Cyber Security Strategy and approach in Belfast City Council and detailed the key controls used to mitigate the cyber risk.  He detailed the change that would be needed, the security decisions and actions and the security programme that would be undertaken in the coming years. 

 

            The Committee noted the contents of the presentation.