Halifax’s auditor general has raised multiple concerns around municipal cybersecurity — including hundreds of missing computers — at a time when online attacks are rising “exponentially.”
Evangeline Colman-Sadd presented her findings to the audit and finance standing committee of the Halifax Regional Municipality on Wednesday. The report said management in the information technology (IT) department is not providing “appropriate oversight” to prevent cybersecurity risks.
“In 2023, cybersecurity attacks are increasing, you know, quite exponentially and both public and private sector organisations are targets,” Colman-Sadd said in an interview.
“But you want to do as much as you can to try to reduce the likelihood of it, or to reduce the severity if you do have a breach.”
The report said IT management has not developed plans to address “known issues,” more policies should be in place, and staff should clarify responsibilities. During the audit, Colman-Sadd found a disagreement between two teams in which each thought the other one was supposed to handle a task.
“In those instances, you know things can fall through the cracks and end up not not getting done,” she said.
Colman-Sadd told councillors Wednesday the IT department doesn’t have accurate inventory information and currently lists 451 laptops as “missing.”
“IT does not know the location. That is a risk if the machines contain sensitive data,” said Colman-Sadd.
Although some physical controls are in place to protect the system’s data centres that house critical infrastructure, the report said access to those areas needs better management. Right now, policies around swipe card and key access are informal, and some people had access to data centres that did not require it for their jobs.
Most councillors have not taken training
Ashley Maxwell, audit manager, told the committee that 12 keys assigned to staff were returned when swipe cards were brought in — but IT threw out the old keys rather than returning them to corporate security. Maxwell said they recommended the locks on the data centres be changed immediately, and that was done.
Management launched a cybersecurity awareness training program last year for staff and elected officials, but the report said completion rates “need improvement.”
As of this February, Colman-Sadd told the committee that 31 per cent of employees asked to compete the training had yet to do so and 11 of the 17 elected officials had not finished it either. She said it’s critical to finish such training because attacks often start when an employee doesn’t recognize a phishing email from hackers.
“‘Having an auditor general is like having a regular colonoscopy — it can be uncomfortable but it gives you a road map as to what needs to be fixed, and if you do it right how you can fix it,” Mayor Mike Savage said during the meeting.
16 recommendations made
Colman-Sadd said there’s been a lot of change in the department in recent years, so she’s hopeful the audit will give the new management team guidance.
The report makes 16 recommendations for the IT department, including figuring out whether it needs more resources. IT management has accepted all the suggestions, and completed four so far.
The committee passed Savage’s motion to ask that staff bring back an action plan within four months to show how the audit will be addressed, including timelines and resources needed.
“We do have work to do but I do have confidence in the leadership that we have in IT now,” Savage said. “It’s pretty urgent.”
The audit period was Jan. 1, 2021, to Dec.31, 2022.
On Wednesday, Colman-Sadd’s office also released a follow-up review of two 2021 audits, which showed that only 63 per cent of the recommendations around transit technology and payroll had been completed.
Transit technology upgrades include modernizing the fare system, automated vehicle location and a new process for scheduling and route planning. The projects have an estimated cost of $32.7 million.
Halifax has implemented two of the four transit recommendations: tracking spending on individual projects, and setting timelines for improving transit technology. But it has not yet developed forecasts and budget estimates for those tech projects, or established a cost-benefit analysis to help staff decide when to manage projects internally or externally.
The 2021 audit said Halifax Transit used an external contractor as a project manager, but there would have been savings of $1.6 million if municipal staff had been used instead.
Colman-Sadd said Wednesday it’s “really important” these budget estimates have solid support behind them to help councillors and staff make decisions come budget season.
“If you don’t have a good background … you’re simply not sure what was included or what wasn’t. You’re relying on people’s memory and they may not remember,” said Colman-Sadd.
Halifax Transit staff told the city’s transportation standing committee in May that the long-delayed mobile app that would allow transit users to pay for tickets electronically should be rolled out this summer. That is not yet in place.
These are the final audits to be signed off by Colman-Sadd, as she leaves the role this week for a new job at Emera as vice-president of audit services. Her seven-year term was up this fall and councillors will appoint her replacement soon.