Council says new IT defences justify downgrading cyberattack risk

Elgan Hearn, Local Democracy Reporter

Council chiefs are confident that new information technology it is now using will protect the authority against cyberattack

At a meeting of the Governance and Audit committee of Powys council on Friday, June 20, councillors and lay members received a report on the council’s strategic risk register for the last quarter of 2024/2025 (January to end of March).

The report says that the digital services department want to de-escalate the risk that the council’s: “information and systems will be vulnerable to a cyberattack” from phishing emails.

If senior councillors agree to this, the risk will drop down to be managed by a departmental risk register.

Uncomfortable 

Cllr Graham Breeze (Powys Independents) said: “This concerns me, I’m really uncomfortable that we’re asking for this to be de-escalated.

“The current situation we live in, worldwide massive organisations such as Marks and Spencer have come under a huge attack which has cost that company over £300 million to date.

“I’m interested to know how we feel so confident that we have control over this that we can de-escalate a risk I would consider to be one of the biggest we have as an authority.

“The sheer significance of this authority being hit by a cyberattack is unthinkable.”

He wanted to be convinced that the council had a “super system” to defend it from cyberattack.

Head of digital services Ellen Sullivan said: “The risk remains high, what is reduced is threat.

“We’ve actually purchased and deployed extra phishing software, so we have that across all our systems that detects any phishing concerns.”

She added that extra “phishing training” for staff had also been rolled out by the council.

This means that “fake emails” are sent out to test whether staff each month.

Ms Sullivan explained that staff who click on the fake emails would then be given “refresher training.”

Evolving situation

Cllr Chris Walsh (Labour) said: “Cyber criminals will change their behaviour and tactics on a regular basis, it’s not a stationary situation it’s an evolving one.

“Reducing it feels slightly complacent.”

Cabinet member for customers, digital and community services, Cllr Raiff Devlin (Liberal Democrat) said: “There is no complacency here whatsoever.

“The council has invested significantly into its cyber defence.

“While members are absolutely correct to point out it’s a dynamic environment, the key to maintaining our defence is our ongoing investment and there is a commitment by the cabinet to do just that.

“So, I feel that we are managing this risk appropriately and I’m reassured that the department has what it needs in place to do that.”

The report will go in front of the Liberal Democrat/Labour cabinet for a decision next month.