Auditor planted virus to expose holes in city's IT shield

The city's data systems are at risk of significant data loss, corruption and exposure of personal and confidential information due to cyber security weaknesses, the auditor general revealed in his report on Thursday.

In an investigation that involved auditors successfully planting a virus in the city's network, auditor general Ken Hughes exposed several issues that put city information under threat.

He tabled his findings in his annual report at the city's audit committee meeting.

The auditor's team looked specifically at the way city employees and other users access the city's IT network outside city buildings. That includes paramedics in the field, employees working from home and third party vendors accessing the city's network. 

The audit found passwords are susceptible to theft and misuse and city-issued laptops are not properly secured.

Auditor attacks the network 

Hughes's team conducted a number of tests to see if they could infiltrate the system with malware containing a benign virus. One of the tests was successfully detected while several other tests were not.

"Had this been a malicious attack, the city's network would have been susceptible to the hacker's objective," the report stated.

Had this been a malicious attack, the city's network would have been susceptible to the hacker's objective.- Auditor general's annual report

Corporations typically hire third parties to perform tests like the one the auditor's team performed to test the penetrability of the system, but the report states the city hasn't done that.

The auditor also found there was no central strategy to address remote access security, and there is no plan to create one.

IT budget to increase

On Wednesday the city's IT committee approved a six per cent budget increase for the department to beef up the city's cyber security efforts.

At that meeting city chief information officer Saad Bashir told committee the city has fended off 1,600 attempts to compromise city computers.

Many details of the audit could not be shared publicly because they contain sensitive security information. 

In a meeting behind closed doors, Bashir assured councillors his department is working to close security gaps in the city's systems.

"I'm confident based on what the CIO told us that the proper things have been put in place to close all those doors," said Steve Kanellakos.

The auditor made seven recommendations, which includes a review of IT polices that should be completed every two years. All seven recommendations were accepted by city management.