The internal security of digital data and networks at the Municipality of Eindhoven is as leaky as a basket, according to the Rekenkamer (Court of Auditors).
Updates that lag behind, no insight into software that has been installed by staff on their own initiative and an unclear division of tasks. From the outside, the municipal organisation is well protected against break-ins in the digital network. Internally, however, there is much to criticise about the state of security.
For example, the municipality’s password policy, which was adopted in the summer of 2021, provides a good basis for a secure password policy. However, the requirements of the policy are not enforced by the system, writes the Court of Auditors committee.
Also, software that is purchased is not assessed by the appropriate people. Not beforehand, but also not afterwards. Some software suppliers would renew their security certificates annually, but this is not monitored within the municipality, nor is it laid down who should do this.
No plan of action
According to the auditor’s report, there is also a considerable chance that departments are using software that does not meet the security requirements. And in case of calamities, for example a security leak, there is no structural plan of approach, which makes it vulnerable, according to the Court of Audit.
In addition, there is software that lags far behind when it comes to implementing updates. The municipality is said to be in the process of catching up.
Little attention for the protection of personal data
The municipality is also said to pay too little attention to the protection of personal data. A worrying note in the report because the municipality has a scanning car for parking enforcement, police officers use body cams, there is a crowd monitor and there is camera surveillance in many places. However, the report concludes that the protection of all this data is insufficient.
The interaction between the administration and the organisation regarding digital security is also said to be inadequate. Communication between the two bodies is ‘incidental’, which means there is a lack of structural consultation. Officials who work hard to improve digital security within the municipal organisation, however, experience too little support from the organisation. In addition, there is too little budget available to properly adapt to the existing problems.
20 per cent
The Court of Auditors conducted the investigation by analysing relevant documents and conducting interviews with the officials involved. In addition, a so-called “penetration test” was performed. A fake phishing mail was sent within the organisation. Twenty per cent of the employees responded to the e-mail, which had the municipality’s house style.
Translated by: Bob