The City of Hamilton’s Office of the Auditor General released the first of four reports analyzing the February 2024 cyberattack against the city.
The report, released on Oct. 2, determined that city staff were warned of “critical weaknesses in the city’s security posture” in a 2021 audit, three years before the cyberattack.
Listed as a key observation, the Auditor General says that recommendations from that 2021 cybersecurity audit “remained largely unimplemented at the time of the breach due to lack of resources, leadership continuity, and institutional support.”
Hamilton’s City Manager at the time was Janette Smith.
Mayor Andrea Horwath appointed Marnie Cluckie as City Manager using her strong mayor powers on Jan. 15, 2024, after Smith announced her retirement.
The Auditor General says that efforts to engage in third-party remediation were initiated by the city following the 2021 audit, but were delayed, “resulting in limited remedial action and minimal progress being made.”
This first report from the Auditor General specifically focused on pre-breach analysis and assessed the city’s progress since the initial 2021 audit.
The report reviews governance structures, staffing and leadership continuity, training and awareness programs, technical readiness, and incident response training.
There were five other key observations in the report, including that persistent understaffing in key cybersecurity roles “limited the city’s ability to manage and implement security controls.”
Next, the report states that frequent leadership turnover “disrupted prioritization and delayed execution of strategic security initiatives and key risk mitigations.”
Third, the findings indicate that “lack of a centralized governance and mature cybersecurity program led to fragmented practices and policy inconsistencies.”
Fourth, the city’s risk management program reportedly “did not proactively identify and address risks across existing and emerging programs and services.”
Fifth, end-user training is said to have “focused only on basic awareness and lacked advanced education on cybersecurity and more specifically, security personnel had not received formal training or upskilling since 2020.”
Auditor General Charles Brown commented in a press release, “Attention to cyber security is important and efforts need to be sustained and ongoing.”
“The six key observations we made during Phase 1 of the Follow Up Audit explain the limited progress the City was able to achieve following the initial 2021 Cyber Security Audit. Our findings underscore the reality that Information Technology is complex and requires the successful coordination of people, processes, planning and governance.”
The City of Hamilton immediately responded to the report, saying that they have made “a number of structural, technical, and governance changes” to address gaps outlined by the Auditor General.
Those include realigning the Information Technology (IT) Department to report directly to a newly created Chief Information Officer (CIO), recruiting the city’s first Chief Information Security Officer (CISO), and introducing enhanced security protocols, such as multi-factor authentication.
The lack of multi-factor authentication, a basic security process that requires users to provide at least two forms of identity verification to access an account or device, is reportedly the reason why the city’s cyber insurance claim was denied.
Hamilton taxpayers are on the hook for more than $18 million in cyberattack recovery spending after the city’s insurance claim was denied because they failed to follow the proper policy requirements.
Based in Hamilton, he reaches hundreds of thousands of people monthly on Facebook, Instagram, TikTok, and Twitter. He has been published in The Hamilton Spectator, Stoney Creek News, and Bay Observer. He has also been a segment host with Cable 14 Hamilton. In 2017, he received the Chancellor Full Tuition Scholarship from the University of Ottawa (BA, 2022). He has also received the Governor General’s Academic Medal. He formerly worked in a non-partisan role on Parliament Hill in Ottawa.
