Municipality lost 451 laptops and has lax cybersecurity, says Halifax auditor general

Halifax can’t find hundreds of laptops, and like many municipal employees, most councillors failed to complete mandatory cybersecurity training.

Those are some of the findings from outgoing auditor general Evangeline Colman-Sadd’s last report to council’s Audit and Finance Standing Committee on Wednesday.

Colman-Sadd’s office audited the municipal information technology (IT) department’s management of cybersecurity “to determine whether HRM appropriately manages cybersecurity risks to its network.”

The auditors made 16 recommendations. Management reported four of those have already been completed, related to keyed access to municipal data centres. It accepted the remaining 12.

“Overall, we found a lack of appropriate oversight to manage cybersecurity risks,” Colman-Sadd told councillors on the Audit and Finance Standing Committee.

Policies and processes to document cybersecurity risks are “limited,” Colman-Sadd said, and “physical access to network infrastructure needs improvement.”

Ashley Maxwell, the audit manager, told councillors managers in the IT department have a cybersecurity road map, but it lacks detailed plans and timelines. And the managers told the auditors they aren’t sure they have enough staff.

“Management expressed resource concerns throughout the audit related to cybersecurity. Management has not assessed needs or requested additional resources,” Maxwell said.

The department briefed council on cybersecurity in 2022 and 2023, but didn’t talk about staffing.

“While the briefing provided an overview of areas management is focusing on, it did not indicate that resource needs have not been identified or assessed,” Maxwell said.

City changing the locks at data centre

The municipality’s data centres have environmental controls in place, like generators and air conditioning, the audit found.

“Data centres house critical network infrastructure, so having controls that prevent damage or keep this equipment operational is important in preventing outages and ensuring the security of HRM data systems,” Maxwell said.

While there were controls on physical access to those data centres, the auditors found there were no policies or procedures to manage employee or visitor access to the centres. There were employees with swipe card access to data centres that wasn’t required for their jobs, and there were 12 keys to the data centres issued, according to municipal records.

“Management told us that the staff had actually turned in their keys when this swipe card access was introduced and that IT had thrown out the keys instead of returning it back to corporate security,” Maxwell said.

When the auditors recommended HRM change the locks, it did so.

Third of employees, two thirds of councillors untrained

The municipality rolled out a cybersecurity training program in October 2022, giving employees 30 days to complete the training.

“As of February 2023, 31% of employees that the training was sent to had yet to complete it,” Colman-Sadd said.

She added that the IT department hasn’t told department leaders which employees had failed to complete the training.

“That training is an important aspect of cybersecurity. Cyber attacks often start with phishing or similar efforts in relation to employees,” Colman-Sadd said.

“I’ll also note that as of February, 11 of 17 elected officials had not completed cybersecurity awareness training. So it is important to make sure that that is completed to help ensure the security of HRM systems.”

Laptops missing

The municipality has no asset management policy and no accurate inventory of IT assets, Colman-Sadd told councillors.

“Computer inventory is tracked via a tool. There are inaccuracies in it and we also noted that the tool notes 451 laptops as missing,” Colman-Sadd said.

“IT does not know the location. That is a risk if the machines contain sensitive data.”

The auditors tabled an in camera report as well, with an undisclosed number of recommendations. Colman-Sadd cautioned that just because there’s an in camera report doesn’t mean there were negative findings.

“Whether the results of that are excellent, abysmal or in the middle, it would be in camera regardless. There is no stratosphere in which we would report certain aspects of cybersecurity, no matter what,” Colman-Sadd said.

The committee spent about an hour and a half in camera, but there were also two personnel matters and a contract negotiation matter on the agenda.

‘We lack rigor’

But the public report was cause enough for concern for Coun. Pam Lovelace.

“What I’m seeing from this is we lack rigor. We lack the processes and the detailed kind of analysis that’s needed internally, with our IT department, considering the severity of the cyber attacks, and the potential for shutting down business at HRM,” Lovelace said.

Mayor Mike Savage noted other municipalities, like St. John’s, have been targeted by hackers.

“This is something that we’re all going to have to figure out, and I think anybody who’s in management or an elected official these days is worried about,” Savage said. “We see private companies getting caught up in horrendous situations where they end up paying a lot of money out.”

Colman-Sadd said that risk is why HRM needs to get it together.

“Any look at the news will give us all a good understanding, cyber attacks are only increasing, right, and the reality is, government organizations as well as public, private sector organizations are all potential targets,” Colman-Sadd said.

“That’s one of the reasons why it is important to have really solid processes … from a documentation standpoint so that staff know what to do when there are issues … And it’s really important for things like cybersecurity awareness training to be completed by as many folks as possible. Your employees are often your sort of your first line of defence.”

Savage moved to direct the chief administrative officer to develop an action plan. He wants a report back to the committee within four months “showing how these recommendations will be addressed with timelines and resource implications.”

Four-year-old recommendations still incomplete

Colman-Sadd also tabled follow-up reports at Wednesday’s meeting. A review of previously outstanding recommendations from two 2019 audits found five recommendations still outstanding.

And a review of two 2021 audits — Management of Accounts Payable and Transit Technology Project Management — found three outstanding recommendations.

Colman-Sadd said her office is still in the process of reviewing another 2021 report into Management of the Fire Inspection Program Audit. As the Halifax Examiner noted in June, that report highlighted a lack of water supply in some of the neighbourhoods that burned in the Tantallon fire.

“I will say the office has started that work but we paused it for a while for obvious reasons recently,” Colman-Sadd said.

“I believe it’s getting started again now.”

Colman-Sadd headed to Emera

Wednesday’s meeting was Colman-Sadd’s last as auditor general, after nearly seven years in the role.

Colman-Sadd announced on LinkedIn last month that she’s soon starting a new job as vice president of audit services at Emera.

“I have enjoyed my term as auditor general immensely, more than I could probably describe honestly,” Colman-Sadd said.

“I believe my office has added value with the work that we do. We work hard to complete audits in areas of higher risk and to make recommendations that we think will improve programs for HRM citizens, management, and staff.”

Savage compared the work of an auditor general to a medical procedure.

“Having an auditor general is like had a regular colonoscopy,” Savage said.

“It can be uncomfortable, but it gives you a roadmap as to what needs to be fixed, and if you do it right how you can fix it.”