For each calendar year from 2020 to 2026 inclusive:
1. The number of cyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach)
2. The breakdown in high-level causes of these breaches as identified by cyber security incident response teams (CSIRTs), for example (but not limited to) unpatched software/hardware, lack of multi-factor authentication (MFA), leaked user credentials, lack of in-transit encryption, etc
3. The number of breaches that occurred that were attributed to a previously known vulnerability to the organisations hardware, software, policies, or processes, for example where system was known to be at risk due to being unpatched or out of support, or security controls were recommended but not enforced, and was defined within the resulting incident response report.
4. The estimated combined costs incurred as a result of cyber security breaches defined in request number one in each year.
In response to questions 1-4, Devon County Council can confirm that we hold the information you have requested. However, we consider this is exempt from disclosure under Section 31(1)(a), the prevention or detection of crime, of the Freedom of Information Act 2000.
This is because the Council considers that this information constitutes valuable intelligence, that could be leveraged by a motivated cyber threat actor to inform a successful attack against our infrastructure. We feel that releasing this information would therefore increase the chances of Devon County Council becoming the victim of a cyber-attack.
We have considered the public interest in releasing this information. While we recognise that there is a public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure.