HRM has insufficient oversight of its cybersecurity risks, AG report says – Halifax

In her final act as Halifax’s Auditor General, Evangeline Colman-Sadd presented the findings of a management of cybersecurity audit on Wednesday.

“Their limited policies and processes, they need to work on those things,” she said about the Halifax Regional Municipality. “They need to work on identifying risks and shoring up their cybersecurity risk register, so that really is key to that oversight piece.”

The report finds that HRM has not provided appropriate oversight of its cybersecurity risks, and that the cybersecurity program at HRM requires attention.

“In 2023, there are cybersecurity risks for every organization and you can have the best policies, practices in the world and still be hacked,” Colman-Sadd said.

“But, it is really important to have good policies because it helps to prevent at least some of, or to ward off, attacks.”

While HRM Mayor Mike Savage said there is work to be done, he expressed his confidence in the Information Technology (IT) departments ability to do so.

“I do have confidence in the leadership that we have in IT now to help us with this,” Savage said. “It’s pretty urgent and we appreciate this report for the information it gives us.”

In committee discussions about the report, Councillor Pam Lovelace said HRM has seen its website down, several calls for password changes, a TikTok ban, and confusion around missing laptops.

“What I’m seeing from this is we lack rigour,” Lovelace said. “We lack the processes and the detailed kind of analysis that is needed internally with our IT department, considering the severity of the cyberattacks and the potential of shutting down business at HRM.”

Regarding the missing laptops, Colman-Sadd said a tool used to track assets — such as computers — is not accurate, but has identified 451 computers as “missing.”

“It could be an instance where someone hasn’t returned one after they’ve gotten a new computer and perhaps it wasn’t tracked properly, so I think IT probably needs to investigate that,” she said. “Could there be laptops that are truly missing? There could.”

Colman-Sadd also mentioned in her report that cybersecurity training for municipal employees is essential to the first “line of defense.”

She said, as of February, 11 out of 17 elected officials at HRM have not completed cybersecurity awareness training.

The report comes as King’s County recently notified the public of a cyber attack from July, showing that municipalities can be targeted.

Colman-Sadd presented 16 recommendations in her report, all of which have been agreed to by HRM and four of which have already been completed.

“When I read this report, there’s things that concern me,” Savage said. “On the other hand, I look at the recommendations and I see some of them are already complete and that management, I think, agrees with just about every recommendation… which I think is encouraging.”

HRM staff said by email that, “municipal cybersecurity staff are reviewing the recommendations of the HRM IT: Management of Cybersecurity Audit – Public report, and as per today’s meeting, will develop a prioritized action plan within four months and report back to the Audit and Finance Standing Committee showing how these recommendations will be addressed, with timelines and resource implications.”

The auditor general’s office will follow up in 18 months on the recommendations, at which point they will be looking for 80 per cent completion.

&copy 2023 Global News, a division of Corus Entertainment Inc.