Issue - meetings

To approve the updated ICT Strategy and the new Cyber Security Strategy.

Purpose of report

To consider the updated ICT Strategy and the new Cyber Security Strategy.

Decision

Cabinet approve the:

1.    Updated ICT Strategy 2025 – 2028.

2.    New Cyber Security Strategy 2025 - 2028.

Authority was delegated to the Chief Executive in consultation with the relevant Cabinet Member to correct any typographical and grammatical errors.

Alternative options considered and rejected

The Council could have chosen not to have an ICT or Cyber Security Strategy, but this would not provide a robust framework within which to manage and develop ICT platforms.

Reasons for the decision

The refreshed ICT Strategy ensured the Council continued to provide modern services to residents and employees of the authority.

The ICT Strategy enabled the Council to review emerging technologies and adapt systems to ensure they were fit for purpose and future proofed.

The Cyber Security Strategy was a crucial part of the Council's duty to ensure that all systems were secure and that sensitive data held was safe. Councils must adopt proactive measures to ensure the integrity of their systems, for example:

·       Two-factor authentication (2FA).

·       Antivirus and endpoint protection.

·       Staff training on cyber hygiene (Cyber hygiene refers to the regular practices, habits, and precautions individuals and organisations take to protect their digital systems, devices, and data from cyber threats like malware, phishing and theft).

·       Regular security audits aligned with the National Cyber Security Centre’s Cyber Assessment Framework (CAF)

As Councils increasingly delivered services online, they must ensure digital platforms were secure, accessible, and inclusive. A strong Cyber Security Strategy reassured residents and businesses that their data was protected, fostering trust in digital services.

The Cyber Security Policy responded to the increasing threat of cyber attacks, and robust protection of systems and data. It documented proactive investment in cyber security measures, and alignment with the cyber assessment framework, whilst building risk aware infrastructure.

The following points were highlighted during debate:

·       Services requiring servers were increasingly moving to cloud-based solutions as opposed to on site server infrastructure. SKDC had robust off-site backup, with less reliance on physical servers. Most systems were now remote.

·       Cyber-attacks were the Council’s single biggest risk. SKDC had signed up to the Cyber Prevention Network and systems were frequently tested for resilience. Backups occured every 15 minutes and offsite backup plans were in place.

·       Service recovery times depended on the incident, but recovery times were routinely tested.

·       The depot was used as a backup location to give resilience to the authority. Each service area had a Business Continuity Plan.