(844) 627-8267
(844) 627-8267

451 laptops missing, behind on training: HRM’s cybersecurity lacking, says AG | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


STORY CONTINUES BELOW THESE SALTWIRE VIDEOS

When a missing dog post isn’t actually about a missing dog | SaltWire

Watch on YouTube: “When a missing dog post isn’t actually about a missing dog | SaltWire”

HALIFAX, N.S. — Halifax Regional Municipality’s cybersecurity needs some urgent attention.

Halifax’s Auditor General, Evangeline Colman-Sadd presented the gaps her team found in the municipality’s cybersecurity at the Audit and Finance Committee on Wednesday.

“Cyberattacks are only increasing and the reality is public organizations as well as private sector organizations are all potential targets,” she told the committee, adding that documentation, proper policies and training are all key to a good defence.

The Municipality of the County of Kings said they were hacked last month and the province has been dealing with a massive breach from the MOVEit file transfer service in May.

And in March, Colman-Sadd pointed out similar gaps in Halifax Water’s cybersecurity.

“Overall we found a lack of oversight to manage cybersecurity risks,” she said on Wednesday.

HRM hired consultants for security assessments in 2018, 2022 and 2023, which raised key concerns.

Behind on training and missing laptops

In Oct. 2022, employees — who Colman-Sadd considers on the frontlines of cybersecurity — were given 30 days to complete cybersecurity training but, as of Feb. 2023, 31 per cent had not completed it.

“That training is an important aspect of cybersecurity. Cyberattacks often start with phishing or similar efforts with employees,” she said. 

“I’ll also note as of February, 11 of 17 elected officials had not completed cybersecurity awareness training. So it is important to make sure that is completed to help ensure the security of HRM’s systems.”

HRM doesn’t keep a complete inventory of IT assets and the server inventory is not up to date. The tool used for the computer inventory is inaccurate and the audit found that there are 451 missing laptops.

“IT does not know the location. That is a risk if the machines contain sensitive data.”

Evangeline Colman-Sadd, auditor general for Halifax Regional Municipality, speaks to reporters in this file photo. – Francis Campbell

Coun. Pam Lovelace (Hammonds Plains – St. Margarets) expressed surprise that there were hundreds of HRM laptops in the wind.

“What I’m seeing from this is we lack rigour, we lack the processes and the kind of detailed analysis that’s needed internally with our IT department,” she said. “Considering the severity of the cyberattacks and the potential for shutting down business at HRM, I’m wondering how we elevate this more to an EMO perspective.”

She said if the HRM was attacked, it would require emergency management. She asked what would be involved in a recovery plan?

“Cybersecurity has almost reached the point that it’s not if you’re going to be hacked, it’s when you’re going to be hacked. No matter what’s in place,” responded Colman-Sadd, who agreed following up with a recovery plan is a good idea.

More urgent action

The auditor’s report came with 16 recommendations, which all have been accepted by management, Colman-Sadd noted, and there was also a private/in camera report with more sensitive security information.

The audit found data centres have access controls to protect against unauthorized access or tampering but there are no policies governing who can access them or visitor access.

Auditors found that IT staff had 12 access keys which were thrown away when they were replaced by swipe cards. When this was discovered, auditors recommended to the IT department that the locks be changed immediately and that has been done.

The audit also comes with the usual check in after 18 months, but Mayor Mike Savage said they needed to move faster.

He put forward a motion for staff to develop a prioritized action plan and report back within four months with timelines and resource implications.

The audit committee also bid a fond farewell to Colman-Sadd on Wednesday as, after seven years, her contract is at an end and she is taking a job elsewhere.

“Having an auditor general is like having a regular colonoscopy,” Savage said. “It can be uncomfortable but it gives you a roadmap as to what can be fixed.”



——————————————————-


Click Here For The Original Source.

National Cyber Security

FREE
VIEW