North Ayrshire Council must strengthen passwords before cyber attack

Councillors on the Audit and Scrutiny Committee heard password controls should be amended to be in line with best practice guidance, after an audit found network logons were weak.

It’s hoped this will be completed by the end of the year after missing the September deadline.

A council report states: “There is no requirement to use a mix of special characters, numbers, uppercase, lowercase etc or to change the password periodically or get locked out after a specified number of failed login attempts.”

It added there was: “Increased vulnerability to hacking or other forms of cyber attack, which could lead to data breach or inability to undertake duties.”

The council noted: “The rollout is taking longer than anticipated due to configuration settings on teaching staffs network accounts.

“This was due to unforeseen configuration making the rollout extremely staggered. And therefore, we won’t meet the completion date of the 30/09/21. The team are hoping that the rollout will be completed by December 31.”

Councillors on the Audit and Scrutiny Committee also heard the Corporate Information Governance Group should review the privacy information produced for children and ensure that best practice is followed.

An audit found survey respondents stated that no privacy information specifically for children has been produced.

In discussion with the information management officer, it seems likely that some individual establishments and teams have produced such information, but that officers completing the survey were unaware of this.

The report added there was a risk that “children and young people do not receive appropriate information to make them aware of how their information is handled by the council”, leading to a potential breach of GDPR. Information given to children and young people is inconsistent or not appropriately worded. Officer time is spent producing such information when examples of good practice already exist.