Office of the Auditor General completes Cyber Security Follow Up Audit

HAMILTON, ON – The City of Hamilton’s Office of the Auditor General (OAG) completed Phase 1, Pre-Breach Analysis of their Cyber Security Follow Up Audit. This Phase 1 report is the first of four reports which together, form the follow-up to the OAG’s initial Cyber Security Audit, which had been completed in April 2021, prior to the City’s cybersecurity incident in February 2024. 

The initial 2021 Audit revealed critical weaknesses in the City’s security posture and recommendations were made by the OAG (at the time, known as the Office of the City Auditor). Efforts to engage third-party remediation were initiated by the City but delayed in the period following the results of the 2021 Audit and the cyber incident (February 2024), resulting in limited remedial action and minimal progress being made to improve the City’s security posture by the time of the breach. 

Phase 1 of the Cyber Security Follow Up Audit focused on pre-breach analysis and assessed the City’s progress since the initial 2021 Audit. It reviewed governance structures, staffing and leadership continuity, training and awareness programs, technical readiness, and incident response training. 

Key observations within this Audit include:

• Persistent understaffing in key cybersecurity roles which limited the City’s ability to manage and implement security controls
• Frequent leadership turnover disrupted prioritization and delayed execution of strategic security initiatives and key risk mitigations
• Recommendations from the 2021 cybersecurity audit remained largely unimplemented at the time of the breach due to lack of resources, leadership continuity and institutional support
• The lack of a centralized governance and mature cybersecurity program led to fragmented practices and policy inconsistencies 
• The City’s risk management program did not proactively identify and address risks across existing and emerging programs and services
• End-user training focused only on basic awareness and lacked advanced education on cybersecurity and more specifically, security personnel had not received formal training or upskilling since 2020

“Attention to cyber security is important and efforts need to be sustained and ongoing,” said Charles Brown, Auditor General “The six key observations we made during Phase 1 of the Follow Up Audit explain the limited progress the City was able to achieve following the initial 2021 Cyber Security Audit. Our findings underscore the reality that Information Technology is complex and requires the successful coordination of people, processes, planning and governance.”

Phase 1 also identified pre-breach strengths of the City’s cybersecurity, which include:

• Efforts to improve the visibility of cybersecurity had been ongoing for a few years
• A Cyber Incident Response Plan which aligned with the National Institute of Standards and Technology’s cybersecurity framework
• An emergency response plan to coordinate across departments and maintain service continuity
• Active recruitment for cybersecurity professionals to address resource gaps
• Hamilton Water’s resilience and readiness in terms of its security and operational technology

• The OAG’s Cyber Security Audit in April 2021 overall objective was to assess many areas of the City’s Information Technology network. 
• A planned follow-up to the April 2021 Audit was to occur in 2024, however, the cybersecurity incident took place which caused a delay and modification to the original scope of the review.