Over the past decade, the City of Toronto, like other large organizations, is increasingly conducting business and key operations online and in a networked environment. This makes operations more efficient and citizens are served better.
The City stores a vast amount of confidential and sensitive data, such as information about employees and citizens’ personal records. It also maintains a large number of systems that are critical to the City’s functioning, such as water, fire services, transportation, and emergency response systems.
The Canadian Centre for Cyber Security, which is Canada’s single unified source of expert advice, guidance and support on cyber security for government, critical infrastructure owners and operations, notes that:
“a safe and secure cyber space is important for … security, stability, and prosperity”
It also assessed that: “Public institutions are also attractive to cyber threat actors …”
In recent years, many municipalities in Canada and the U.S. have been affected by cyberattacks. Recent attacks on the City of Saskatoon, the City of Ottawa and the City of Burlington are evidence that Canadian cities are targeted.
To improve security considerably, the City must change in three key areas:
• Human behaviour as it relates with cybersecurity threats
• Technical fixes
• Culture shift.
If the City’s cybersecurity program is built on these three pillars, cybersecurity will be strengthened considerably.
Auditor General raised concerns in this area before
In previous assessments on information technology security, the Auditor General’s reports highlighted to City management that insufficient preparation to manage cyber threats is widely considered to be one of the most critical operational risks facing the organization. The reports are available in Confidential Attachment 1, Appendix 2.
During the Auditor General’s most recent follow-up process, management reported that two of the 10 recommendations from information technology security audits done in 2016 were fully implemented. The Auditor General’s validation of the implementation of these recommendations found that they were not fully implemented.
These recommendations were considered as not fully implemented because the steps undertaken, or the extent of the improvement did not fully address the issue or the intent of the recommendation. Since 2016 none of the recommendations have been fully implemented, which is concerning to the Auditor General.
The purpose of this audit was to assess the City’s ability to manage external and internal cybersecurity threats, and to follow-up on previous audit recommendations. We provided the I&T Division with a detailed technical report to help them understand and address these issues.
This public report contains two administrative recommendations. The confidential audit findings and recommendations to improve cybersecurity controls are presented separately to this report in Confidential Attachment 1. The confidential report will be made public at the discretion of the Auditor General after discussing with appropriate City Official.