At its next meeting, Toronto city council is poised to adopt changes that would improve cybersecurity protocols after the City’s Auditor General identified two incidents where they weren’t reported.
In her latest report to the City of Toronto’s audit committee, Auditor General Beverly Romeo-Beehler identified glaring issues when it comes to procedures surrounding incidents of cyberattacks.
Following two separate incidents where ransomware compromised city systems, both of which were characterized as minor, Romeo-Beehler said neither were reported to the Chief Information Officer. Her report said the City of Toronto currently lacks the protocols to do so.
For security purposes, Acting Chief Information Officer Lawrence Eta wouldn’t reveal when the attacks occurred or which departments were targeted. But Eta, who oversees the division in charge of all the City’s IT departments, said a review is still underway to determine how the communication breakdown occurred.
“We’ve got to investigate from when those incidents occurred, what were gaps in terms of reporting and how do we strengthen that reporting,” said Eta, adding the goal if another attack occurs is that the tools will be in place to report it.
The head of Toronto’s Audit Committee, Coun. Stephen Holyday, said he was surprised by Romeo-Beehler’s findings.
“I would have thought these things were automatic,” said Holyday, adding people need to understand the importance of bringing this information forward when attacks happen.
At its next meeting, the audit committee is recommending that city council adopt Romeo-Beehler’s call to establish strict reporting protocols. It will also be asked to pass a motion to ensure all city staff undergo mandatory cybersecurity training.
While the report called the attacks minor, ransomware attacks have the potential to cause catastrophic losses of data and can be incredibly costly to resolve.
In the spring of 2018, the Township of Wasaga Beach found this out the hard way. Over about 37 days, the town’s treasurer and finance director Jocelyn Lee said the municipality was plunged into chaos following a ransom attack.
A hacker seized control of all of the town’s critical data, including historical documents, financial records, and planning and public works files. The town’s leadership opted to pay $35,000 to the hackers, but Lee said the cost of restoring the decrypted files ended up being closer to $252,000.
“When you’re faced with the cost to restore all of your information that is all gone and all of your critical records are gone, it becomes quite quickly a business decision that was quite easy to make,” she said.
Following the attack, the township added security consultants to bolster what Lee described as a department that was unprepared for such an attack. Along with the added protection, she said the move helped restore trust for citizens.
“Making sure that they never get back into your system isn’t something you can necessarily achieve,” said Lee.
“What you want to achieve is the how you’re going to respond if somebody did get back into your system.”
An increase in trust is something Holyday said he wants to achieve as well.
“We want the public to feel that our IT systems are as well protected as anyone else, like a bank,” he said.
Romeo-Beehler’s call for shoring up lapses cybersecurity follows constant efforts within the City of Toronto’s IT department to stay a step ahead of hackers.
Holyday said Romeo-Beehler has recommended “penetration testing” from sanctioned hackers to test for weaknesses from as far back as 2016.
Eta said the audits are a necessary part of the evolution of the City’s security.
By the end of August, Toronto will have a new head of information security, who will oversee keeping the IT division safe.
A request for proposals is also out for an outside security firm to identify any gaps in the city’s safety net.
© 2019 Global News, a division of Corus Entertainment Inc.