Cyber security training, breaches and devices

For each of the last five financial years, including the present financial year (regardless of completion), please would you provide available data on the:
– Gross training expenditure on all county council employees

This information is not recorded centrally or published in the Council’s Budget Books as separate cost, and we estimate that the time taken to identify locate and compile costs for different aspects such as purchasing training for staff, the preparation of training materials ,delivering training, staff time and travel expenses both corporately and across different services would take well in excess of the 18 hours allowed under the Freedom of Information Act 2000 Section 12 – Cost of Compliance.

– Gross expenditure spent on cyber security training and awareness programmes for all county council employees.

As above but also, we believe that information relating to the amount spent on private cyber security contractors and/or consultants/consultancies which the Council may or may not hold is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’. This is because disclosure places the organisation at risk of fraud and crime. Our systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity.

– Number – and if recorded, the type – of cyber and non-cyber data breaches reported to the Information Commissioner’s Office (ICO).

Incident category 2015 – 2016 2016 – 2017 2017 – 2018 2018 – 2019 2019 – 2020
Data integrity 1
Email 1 1
Loss or theft of paper 2
Other 2 2 2
Post 1 3 1
Printing 1
Technical 2
Undetermined 1

We believe that information relating to any successful cyber-attacks which the Council may or may not have experienced is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’. This is because disclosure places the organisation at risk of fraud and crime. Such systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity.

– Number – and if recorded, the type – of personal data related ‘incidents’.

Devon County Council defines an information security incident as an event where the confidentiality, availability and or integrity of the Council’s information is put at risk. Recording methods have changed in recent years so separate tables are provided for 2015 – 2016  and 2016 – 2020

Incident category 2015 – 2016
Data accuracy – inaccurate data recorded on electronic system/file 18
Data accuracy – inaccurate data recorded on paper file 4
Email – incorrect email address 53
Email- incorrect email address or attachments 8
Email – other 6
Email – sensitive data sent using unsecured email 5
Email – unredacted information disclosed in error 3
Fax- incorrect contents sent to recipient 1
Fax- incorrect fax number used 2
Inappropriate Access – Electronic systems & information 2
Loss or Theft – Mobile device 14
Loss or Theft – Other lost/theft incident 3
Loss or Theft – Paper documents 17
Not applicable 54
Other incident 4
Postal – Incorrect enclosures 11
Postal – Incorrect or incomplete name & address 26
Postal – Other postal incident 7
Postal – Unredacted information disclosed in error 4
Printing – Other Printing Incident 1
Printing – Unattended printing 23
Scanning – information emailed to wrong person 3
Sharing – Excessive information shared 7
Sharing – Inappropriate verbal sharing 6
Technical – Other technical 10
Technical – Unmanaged device used to process DCC data 1

 

Incident category 2016 – 2017 2017 – 2018 2018 – 2019 2019 – 2020
Data integrity 25 21
Email 61 79 115 83
Filing 45 35 16 18
Inappropriate systems access 2 2 8 5
Information sharing 0 0 0 24
Loss or theft of paper files 16 8 2 0
Loss or theft of device 1 17 18 17
Loss or theft of paper 0 0 9 11
Office security 3 4 4 1
Other 29 24 26 30
Post 34 25 53 65
Printing 6 12 19 12
Technical 6 11 13 9
Undetermined 17 32 17 1

We believe that information relating to any successful cyber-attacks which the Council may or may not have experienced is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’. This is because disclosure places the organisation at risk of fraud and crime. Such systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity.

If able to be disclosed under the Freedom of Information Act, please also provide:

– The number of phishing emails reported by staff over the recorded last 12 month period.

We hold this information but consider that disclosure may place the council at increased risk of targeted cyber-crime and as such, is exempt from disclosure under Section 31 (1) of the Freedom of Information Act. Confirming or denying whether information is held on cyber-attacks and what remedial measures may or may not have been taken could aid malicious parties by encouraging further attacks. Attacks on IT systems are criminal offences, so to provide information or confirmation of information being held might prejudice the prevention of crime by facilitating the possibility of an offence being carried out.
Section 31 is a qualified exemption which means we are obliged to carry out a public interest test. There is a very strong public interest in the effectiveness of law enforcement and the prevention of crime and although we recognise the need for openness and transparency because this increases public trust and engagement, this has to be weighed against a very strong public interest in safeguarding the security of Council specific systems. Indeed, it can be held as not in the interests of an individual council to provide information about the number of attacks that may or may not have been made against its IT systems as this could enable individuals to deduce how successful the council is in detecting these attacks and incurring this risk can be deemed not in the public interest. Section 31 of the Freedom of Information Act 2000 states that there is a very strong public interest in protecting the law enforcement capabilities of public authorities so on balance we consider the application of the exemption to be justified.

– The average click rates on simulated phishing emails for the last 12 months (if these are carried out and tracked).

We confirm that information is held which meets the scope of this request. However, it is considered that the disclosure of this information may have the potential to place the council at increased risk of targeted cyber-crime and as such, is exempt from disclosure under Section 31 (1) of the Freedom of Information Act.

– The number of devices that are running out of date software.

We believe that information relating to affected devices which the Council may or may not hold is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’. This is because disclosure places the organisation at risk of fraud and crime. Such systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity.

– The number of devices reported as lost/stolen or unaccounted for over the last 12 months.

27 devices were reported lost or stolen in the last twelve months.