The A-G warns that more cyber security is needed for online City body meetings with confidential information.
The City says tougher security measures are required as more online confidential Council, committee and board meetings are being conducted since the pandemic.
Auditor General Tara Anderson in a January 28 report called for online security guidelines to be beefed up with cybersecurity controls for conducting confidential meetings for City Council, its committees, boards, agencies and corporations.
It is possible for some bad actors to access some of the meetings to obtain confidential City information from staff online. There has already been major cybersecurity breaches at the Toronto Zoo, Toronto Public Library, some hospitals and the Cities of Hamilton and Huntsville.
In the past year there has been cyber security breaches against the Toronto Zoo, Toronto Public Library and Toronto and District School Board among others.
Anderson wrote that over the last five years the City like other organizations accelerated the use of online collaboration and meetings through technology due to the COVID pandemic.
“Hybrid meetings, a combination of in-person and online video conferencing, have become common, including for conducting legislative meetings,” Anderson noted. “While these meetings have benefits in terms of ease and efficiency, they also introduce cybersecurity and confidentiality risks.”
She called for a security review to further strengthen the practices and controls used in initiating and conducting online meetings, particularly for confidential (in-camera) meetings.
The report said new guidelines for online confidential meetings should be drawn up and disseminated to City divisions, boards, committees, agencies and corporations. The guidelines can also be used for staff cybersecurity training.
New and tough City cybersecurity guidelines are required for online meetings of Council, its boards, committees, agencies and corporations.
The guidelines will be used ‘to proactively prevent unauthorized access to confidential information discussed in these meetings.’
She said the City Clerk has developed processes and staff training to secure the electronic portion of closed meetings of City Council and its bodies.
The report cited online security breaches can occur if an unauthorized staff member remained in a confidential meeting, staff can log into a meeting with reused credentials or login credentials being communicated in a public session.
It called for access to confidential meeting to be controlled though codes or passwords, which should not be reused, enable ‘waiting room’ features to validate attendees and lock online meetings.