MORE could be done to secure Anglesey Council’s IT network from potential cyber attacks, a new report has found.
On Tuesday, internal auditors told councillors they could only offer “reasonable assurance” that the authority’s systems were safe from potential breaches.
According to the report, officers found two “major risks” in the authority’s current practices including some members of staff still being able to use removable disk drives, such as USB pens, on computers connected to the main network and connecting their own laptops and other devices to the council wi-fi.
The password complexity settings for two of the Council’s externally facing systems were also found to insufficiently protect the council against a potential data breach.
As a result of the audit’s findings, the report notes that efforts are already underway to try and clamp down on such practices going forward.
Head of Audit and Risk, Marion Pryor, told the Audit Committee meeting in Llangefni: “Cyber security is clearly a priority for IT and there are a variety of technical safeguards in place.
“However we do find that some users are still able to access removable media devices so we recommended a review of those who should be allowed to do so.
“We can never be 100% safe but the assurance is reasonable. But thanks to a combination of the firewalls, training and staff awareness, we’re confident we’re doing pretty much everything we can do.
“If the risks raised can be addressed in full then I’m sure that assurance can be increased further.”
Members were also told that, in line with several authorities across the UK, Anglesey Council had recorded a rise in attacks over the past year, from cyber criminals attempting to disrupt services to malicious login attempts and ‘phishing’ emails.
Though there was no suggestion that any attempts had been successful, the source countries included Russia and Japan – but the latter were thought to be North Korean attempts using IP addresses based in Japan to try and mask their activities.
“Protection of the Council’s network is clearly a priority for IT and a variety of technical safeguards are in place in order to achieve this,” noted the report.
“Despite this discernible success, our review found that controls around removable media devices do not reflect the requirements in this area as outlined in the IT Security Policy.
“A review to ensure only those authorised to use removable media devices are able to do so would reduce the risk of security or data breaches.”
It went on to note, “While we raised five issues/risks, which require management attention, the outcome of our review is mainly positive.
“We have agreed an action plan with management, which is detailed in a separate document.
“Therefore, within the scope of our review, we are able to provide a reasonable level of assurance in this area.”
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here