Moray Council does not have a major incident response plan to deal with a successful cyber attack.
The failure comes at a time when there is a growing global threat of cyber crimes.
A review by the council’s internal audit team on the ICT section’s security arrangements has highlighted the problem.
It was discussed at a meeting today.
Audit and risk manager Dafydd Lewis warned those attending there is a growing global threat of cyber attacks and adopting recommendations in his report is vitally important.
He said: “I do not wish to sound as if I’m scaremongering.
“However, in the current environment the question may not be if but when a Scottish council will be subject of a successful cyber attack.
“Responsibility for effective cyber security does not lie with the ICT service alone, but with every member and officer of the council.”
Mr Lewis added an attack would immediately impact the council’s ability to deliver services.
The review was delayed by pressures caused by Covid.
Cyber attack warning
While policies and guidelines regarding information security and computer use are in place, they have not been reviewed for several years.
The review also found the council was not fully complying with the Scottish Government Cyber Resilience Framework.
A recommended self-assessment tool to highlight areas of improvements in cyber resilience has not been completely implemented.
Councillor for Keith and Cullen Donald Gatt said: “I’m a little concerned there was a delay in the audit because of Covid.
“With the pandemic in mind and the attack the other year on Sepa, if we lose our IT system then we really are in a lot of bother across the whole council with all manner of things.”
Committee chairman Graham Leadbitter told the meeting Sepa (Scottish Environmental Protection Agency) was still recovering from the attack.
He said: “The amount of data lost was the vast majority of the data the organisation held.
“They had to rebuild all their communication, all their emails, all their distribution lists.
“It took months just to get back to some of the most basic operations.
“The impact cannot be underestimated.”
Work to improve the council’s cyber security is taken from lessons learned on the Sepa ransomware attack on Christmas Eve 2020.
Around 4,000 documents were made public after the agency refused to pay a ransom.
The full financial impact of the attack is still unknown.
Councillor for Elgin South Peter Bloomfield said his council mobile was subject to phishing and he had to install anti-virus.
Growing global risk
Mr Lewis advised he would raise the issue with the IT manager.
All the recommendations in the report are accepted and work is continuing to get them in place.
They include completing the self-assessment tool roll out, developing an incident response plan, conducting a review of policies and guidelines and carrying out cyber security staff training.
Conversation