In our report entitled “Audit of Information Technology Vulnerability and Penetration Testing – Phase 1: External Penetration Testing” we highlighted to the City management that insufficient preparation to manage cyber threats is widely considered as one of the most critical operational risks facing the organizations. The City, as well as its agencies and corporations are not immune from these risks.
The Auditor General recently became aware that two small entities within the City were reportedly attacked by ransomware and their systems compromised. In both situations, the incidents were not communicated to the Chief Information Officer because protocols do not exist.
Ransomware is a form of attack where user systems and/or files become non-operable after the attack. The attackers then demand payment for restoring access to the system and/or files. These attacks are not new to Canadian municipalities; recently, two other municipalities were attacked by ransomware, one in Quebec and one in Ontario. One of the municipalities was demanded $65,000 to restore the data; for the other, the ransom details are not public. Cyber security attacks are increasingly becoming more complicated, difficult to detect and costly for compromised organizations.
The purpose of this report is to highlight the importance and urgency for the City to have a standard incident management process developed and implemented across City divisions, its agencies and corporations so that the Chief Information Officer can analyze these attacks in an effort to enhance City-wide cyber security. The Auditor General, realizing the emerging risks, in each of her reports on IT vulnerability assessments and IT infrastructure audits issued during 2016 to 2018, recommended that the City:
– develop baseline IT security standards to provide guidance across the City to address
cyber security threats,
– implement a cyber security program, and
– create an independent role of the Chief Information Security Officer (CISO).
In addition, the Auditor General, in her communications with the Information and Technology Division, identified the need to have a centralized process, guidelines and communication protocols available to all organizations within the City to deal with cyber security threats and incidents. Adequate controls must be put in place to maintain confidentiality of sensitive information.
The Auditor General’s planned follow-up is due in the later half of 2019. An update of the status of the implementation of recommendations will be tabled at future Audit Committee meetings.