The report of the Executive Director of Resources (Section 151 Officer) is attached.

Contact: James Walton (01743) 258915

The Committee received the report of the Executive Director of Resources (Section 151 Officer) - copy attached to the signed Minutes – which provided an update on the agreed action plan as at September 2023.

The Executive Director of Resources (Section 151 Officer) introduced and amplified the report.  He explained that the 2021/22 and 2022/23 action plans had been pulled together into one document, appended to the report, and that the latest position as at end of August had been provided by either the senior manager, the Executive Director or the CEO as indicated and should provide the Committee with some assurance.

In relation to reducing the risk of cyber attacks (item 4 of the Action Plan), concern was raised that only 51% of employees had undertaken their data protection training. The Chairman commented that there were also seven members who had not completed their cyber security training and he stated that it was up to Group Leaders to ensure their members had completed this mandatory training and indeed, he would be raising this with his group leader. 

In response, the Executive Director of Resources (Section 151 Officer) explained that it was a constant battle, but that the numbers were analysed and measured separately for both officers and members.  A paper had been passed by Full Council and a revised process was being drawn up.   The Head of Technology and Automation had given him an update the previous day.  They were looking to introduce a process whereby if an employee or a member failed to undertake the training and after the various automatic chasing emails were sent, their laptops would be locked and only by telephoning into the IT helpdesk would they be unlocked to allow them to undertake the training.  There were a few issues still to be ironed out however before this was rolled out.  It was important to remember however, even with all the training being undertaken people could still make mistakes and even a very small error in cyber security, for example, could be catastrophic so it was important to try to get as many people trained as possible to help reduce the risk.

In response to a query in relation to item 3 of the action plan around the Council’s ability to fund children’s services, it was agreed to request that the relevant Scrutiny Committee investigate why the Supporting Families claims target had not been met leading to Shropshire missing out on funding through payment by results.

In relation to concerns around the number of staff not having completed their cyber security training, the Executive Director of Resources (Section 151 Officer) explained that it was a complicated equation, and he explained the reason for setting the target at 95% was due to a number of factors that could not be controlled in terms of turnover etc.  However, when looking at staff numbers there would be some staff who have just started and not yet done their training, there will be people who were about to leave, there were also staff who may only access IT once a month so don’t have regular access to the IT systems but were still on the list etc.

He went on to explain that when this had been looked at the previous year, they had a real push across the organisation and spent a lot of time and effort routing out all of those individuals who had not done the training, and it was several hundred, and the IT Business Managers were telephoning people and helping them complete the training to get it done which was incredibly resource intensive and could not be sustained and the level of compliance dropped back down into the mid-80% level.  A process was therefore required that was sustainable and not as resource intensive and was built more around the technological processes to keep the percentages high. 

A query was raised about the August 2023 budget performance dashboard which showed a deficit of £35m.  Members had received assurance at quarter 1 that the Council was on track however there was a predicted £23m overspend within the People Directorate, £7.9 within Place and £3.4m in Resources.  In response the Executive Director of Resources (Section 151 Officer) referred Members to the Cabinet meeting of 6 September where, in section 2.8 of the quarter one monitoring report, it was made very clear that the ‘Business as Usual’ forecast before any planned mitigations (do nothing) the figure was £37.6m this had now become £36.2m by the end of August.  What was not shown on the dashboard but was shown within the quarter one report, was that further savings of £11.9m and the demand mitigation figure of £20.5m which led to a planned operating overspend of £5.2m.  The information was therefore absolutely consistent with the information that had been provided to members and in terms of the breakdown of that overspend, quarter one gave a very detailed breakdown of all of the overspends in each of the individual teams and service areas, which, in total, came to £37.6m at that point in time.

In response to a query, the Head of Technology and Automation joined the meeting and provided an update in relation to Cyber Security. In response to concerns around the non-compliance of members and staff to complete their cyber security training and what could be done to encourage them to complete it, the Head of Technology and Automation agreed that it was a challenge and that unless there was a concerted effort people did not keep cyber security training at the forefront of their mind so the problem was around how to change that cultural issue. 

In response to comments around turning off laptops, he felt that although that would help, it was very much a ‘stick’ type solution whereas a ‘carrot’ type solution was needed.  So although they could turn off accounts automatically, the problem then became around business processes and once locked out, how do we get them back in to enable them to do the training.  Also, they may have other urgent work to do that they couldn’t undertake if their laptop was turned off.  There were a few issues that they were trying to work through at the moment in order to address this. It was unclear however whether the threat of having their laptop turned off and having to ring through to log back on would make people do the training. 

An example of a ‘carrot’ type solution could be when people spot phishing emails, they could get an email saying congratulations for not clicking on the link however the current software did not allow this.  When it came to cyber security, staff were not the weakest link but were in fact the last line of defence and could make a difference between an organisation being secure or not.  He discussed the various reasons why some members of staff may not be completing their training and how they could be helped/guided through. It may be necessary to try different approaches and see what works.  The compliance rate would never be 100% and the Council were currently around 85% compliant which was slightly down from the previous year. 

A suggestion was made that an announcement be made at a Full Council meeting reminding Members to complete their cyber security/data protection training and suggesting that they complete it after the meeting whilst in the Shirehall so that IT assistance could be requested if necessary.  It was agreed to raise this at the group leaders meeting.

Turning to the fundamental recommendations around performance set out in the Performance report (IT Contract Management and Disposal of IT equipment), the Head of Technology and Automation reported that the first (IT Contract Management) had been completed and they had gone further and were now meeting on a more frequent basis to discuss internal contracts so they have a spreadsheet of all the contract information so there were no surprises in relation to which contracts were coming to an end etc.

In relation to the Disposal of IT equipment, he confirmed that there was now a contract in place for the formal disposal of IT equipment that ran for two years following which a new Contract would be procured.

RESOLVED:

To note the actions identified in the Annual Governance Statement Action Plan update at Appendix A.

To request that the relevant Scrutiny Committee investigate why the Supporting Families claims target had not been met leading to Shropshire missing out on funding through payment by results.