Council in constant battle to ward off cyber-attackers

Excessive security measures by the information technology department (IT) of Mayo County Council are giving rise to reputational damage for councillors, a member of Mayo County Council has claimed.

Fine Gael Cllr Donna Sheridan told last week's council meeting that the situation has become so problematic she no longer uses her council email address and is instead communicating with constituents via a personal email address.

Cllr Sheridan made her remarks following a presentation by the council's Head of Information Systems, Deirdre Lavelle, who outlined that a budget of €4.2 million is dedicated to the unit for 2025, covering everything from licensing and subscriptions to security and salaries.

Ms Lavelle pointed out that more than three million emails come through the council system in any one year and these are "a gateway for cybersecurity and could lead to phishing attacks and unauthorised access". Multi-layered security measures have been introduced, including multi-factor authentication (MFA), and regular cyber security training is made available for councillors.

The council's IT department manages resources for 1,200 licence users, 1,500 laptops/desktops and 1,000 mobile phones/tablets.

“There are 256,000 emails received every month and any one of them could bring the system down. All are scanned and anything suspicious in the email is quarantined, which while sometimes inconvenient, is a direct response to the sheer volume of spam and potential threats that flood our email system daily.

"The prioritisation of security over convenience is not unique to Mayo but is something we cannot afford to compromise on."

Of the 289 requests for the release of emails last year, just five were withheld for fear of them being malicious.

“A breached email account can serve as a gateway for cybercriminals to infiltrate Mayo County Council’s systems and networks and such an incident could lead to a phishing attack on council staff; unauthorised access to council systems and sensitive data; service disruptions due to malware and financial and reputational damage resulting from data breaches.” 

Ms Lavelle said the cyber threat landscape continues to evolve, with local government organisations increasingly becoming prime targets for malicious acts, adding that cyber-attacks can cripple essential services such as emergency response, housing delivery, and administrative functions, citing the HSE cyberattack in 2021 which was estimated to have cost €102 million.

However, Cllr Sheridan said the system is becoming less accessible and "this is reputationally damaging" to councillors.

"I don’t give my council email address anymore because I can’t be guaranteed I will get my emails.” 

Cllr Jarlath Munnelly said the security measures were as “extreme as could be and would not even be as tough in banks”.

Council chief executive Kevin Kelly said he wished to acknowledge the outstanding work of Ms Lavelle and her team, adding: “The cyber security issue is one of the top items on our lists and while part of the problem is we do have significant measures in place, the focus is on bodies such as ours being subject to attacks.” 

Members congratulated Ms Lavelle on an “excellent presentation” and thanked the IT unit for maintaining cyber security standards.