Can you confirm if Devon has such a HUB in place and if so, can you detail what measures you have in place to make staff aware of such scams?
Yes, we do have a cyber security hub. This is available to employees via our Cyber Security Awareness page on Inside Devon. The Hub itself is only available to employees as we believe that information relating to cyber security is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’. This is because disclosure places the organisation at risk of fraud and crime. Attacks on IT systems are criminal offences, so to provide information or confirmation of information being held might prejudice the prevention of crime by facilitating the possibility of an offence being carried out. There is a very strong public interest in the effectiveness of law enforcement and the prevention of crime. and although we appreciate that there is a general public interest in openness (because this increases public trust and engagement), this public interest should be weighed against a very strong public interest in safeguarding the security of Council networks and systems. Section 31 of the Freedom of Information Act 2000 states that there is a very strong public interest in protecting the law enforcement capabilities of public authorities.
If you have a phish tank section in place can you please send me a copy of all content displayed in this section.
We confirm that information is held which meets the scope of this request. However, it is considered that the disclosure of this information may have the potential to place the council at increased risk of targeted cyber-crime and as such, is exempt from disclosure under Section 31 (1) of the Freedom of Information Act.
We have however published some guidance for employees which is in the public domain and is linked to below;
Keep off the Phisherman’s Hook this Black Friday
Phishing, Smishing and Vishing
Also, do you record metrics on the following :
* Phishing attempts
* Scam emails
* Emails blocked
* Total emails received by the department
If so can you please provide me with a copy of any reports which pertain to same.
We hold this information but consider that disclosure may place the council at increased risk of targeted cyber-crime and as such, is exempt from disclosure under Section 31 (1) of the Freedom of Information Act. Confirming or denying whether information is held on cyber-attacks and what remedial measures may or may not have been taken could aid malicious parties by encouraging further attacks. Attacks on IT systems are criminal offences, so to provide information or confirmation of information being held might prejudice the prevention of crime by facilitating the possibility of an offence being carried out.
Section 31 is a qualified exemption which means we are obliged to carry out a public interest test. There is a very strong public interest in the effectiveness of law enforcement and the prevention of crime and although we recognise the need for openness and transparency because this increases public trust and engagement, this has to be weighed against a very strong public interest in safeguarding the security of Council specific systems. Indeed, it can be held as not in the interests of an individual council to provide information about the number of attacks that may or may not have been made against its IT systems as this could enable individuals to deduce how successful the council is in detecting these attacks and incurring this risk can be deemed not in the public interest. Section 31 of the Freedom of Information Act 2000 states that there is a very strong public interest in protecting the law enforcement capabilities of public authorities so on balance we consider the application of the exemption to be justified.
Do you have any measures in place to prevent Devon staff from using there working email to sign up to external services not related to their official duties?
If so, please detail ?
The council has published guidance for staff which states that work email accounts should not be used for registering for services unrelated to their role.