Toronto’s auditor general is pushing the city to beef up cybersecurity to avoid a “devastating” data breach.
In a report heading to council’s audit committee on Friday, Beverly Romeo-Beehler says the city needs to “strengthen” information technology and security controls, adding little has been done since she brought forward similar concerns three years ago.
Right now, around 4,700 terabytes worth of public data are housed in various systems and computers at the city, her report notes.
“A single breach could have a devastating impact,” Romeo-Beehler writes.
Cybersecurity breaches — like ransomware or phishing attempts, where high-level employees are impersonated — have made headlines recently in other Canadian municipalities.
Just this year, city staff in Saskatoon sent more than $1 million to a person who was using an email address to impersonate the chief financial officer for a construction company city officials were working with.
The city of Ottawa’s treasurer wound up in a similar situation and unknowingly transferred more than $100,000 to fraudsters after someone used a fake email account to impersonate the city manager, while Burlington officials fell victim to a “complex” $500,000 phishing scheme.
Cybersecurity expert Kevvie Fowler, the global incident response leader for Deloitte, said municipalities often have a lot of assets that are desirable to hackers, including personal information like residents’ financial data, mortgage information, birth and death records, and social insurance numbers.
“It definitely makes them a target from a cybercrime standpoint,” he added.
Cybersecurity a ‘constant’ concern, mayor says
Fowler said all cities, Toronto included, should ensure their systems have “basic hygiene” in place.
That can mean cyber awareness training for workers, or putting response plans in place in case there’s a breach.
Alongside her new report, Romeo-Beehler provided a series of confidential recommendations to city officials, aimed at making changes to both the technical and culture side, along with looking at human behaviour when it comes to cybersecurity threats.
She noted that none of her previous recommendations from 2016, which included vulnerability assessment and penetration testing, have been fully implemented.
Mayor John Tory, speaking to reporters last week, stressed that the city is making an effort.
“This is a constant topic of concern to us, that we are working hard to ensure the data and systems maintained by the city are secure,” he said.
“If there’s more to be done, it will be done. Because we can’t afford to have people out there thinking the information that they share with us is at risk.”