1. How many times has your organisation experienced an attempted cyber-attack in the last two financial years?
2. Have you ever reported any cyber-related incidents to the NCSC and if so, how many in the last two financial years?
3. Thinking about cyber-attacks where the criminal was able to obtain data or disable systems, how much have these cost the organisation?
4. How much of the organisation’s total annual budget is spent on cyber support, protection and computer systems?
5. How many people are employed by the organisation to oversee cyber support and programmes?
I would be grateful if you could provide this information in an electronic format with data broken down by calendar year or failing that, by relevant 12-month period (e.g. 2021/22 2022/23 etc.) for which data is available.
In response to questions 1-5, Devon County Council (DCC) confirms that we hold the information you have requested. However, we consider this is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000.
This is because the Council considers that this information constitutes valuable intelligence, that could be leveraged by a motivated cyber threat actor to inform a successful attack against our infrastructure. We feel that releasing this information would therefore increase the chances of DCC becoming the victim of a cyber-attack.
We have considered the public interest in releasing this information. While we recognise that there is an overriding public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of
withholding this information from disclosure.