Cloud storage and security - Find a freedom of information request

Request

Storage

a.  What is your annual spend on cloud storage and also on-prem storage (please split out the costs)?

b.  Do you have a cloud strategy, if so when was it last assessed?  

c.  How do you back up your data and with who e.g. Backup as a Service through XXX

d.  How much do you spend on data backup annually? 

 

Security 

a.       How much do you spend on cyber security infrastructure? 

b.       How many attempted cyber-attacks have you suffered? 

c.       How many successful cyber breaches have you suffered?

d.       If yes to 2c, did you pay the ransom and how long did it take for systems to come back online? 

e. If yes to 2c, were any of these ransomware attacks? 

 

If you do not record the data by any of the above, please share the most similar you do record by. 

 

Please could provide data for the last 5 financial years. If you are unable to provide 5 years of data, please provide 3 years, otherwise please provide data for the last 2 years.

Decision

Storage

 

a. Cloud Storage – Lincolnshire County Council (LCC) began a project to transition to Cloud Storage in April 2021 therefore there is a limited amount of annual data currently available.

 

2023/2024: £1,267,348 (forecast)

 

2022/2023: £1,091,290

 

2021/2022: £1,330,462

 

On-prem storage – LCC do not hold this data.

 

b. LCC do not have a written cloud strategy at this stage.

 

c. LCC’s outsourced IT Service provider, Serco, uses Commvault.

 

d. LCC has a contract with SERCO who are responsible for procuring this service. SERCO is a private company and is not covered by the Freedom of Information Act (FOIA). Broadly only organisations considered public authorities are covered by the legislation. This means FOI requests cannot be made to businesses and private companies generally. Therefore, Lincolnshire County Council does not hold this information.

 

Security

 

a.

2023/2024: £281,124

 

2022/2023: £188,166

 

2021/20022: £152,287

 

Plus Serco costs, as per response to question d above.

 

b. The data held regarding cyber-attacks is limited to malicious email and is provided for the last three years:

 

2022/2023 – Phishing email 66753; Malware 2850

 

2021/2022 – Phishing email 83648; Malware 4686

 

2020/2021 – Phishing email 70369; Malware 9453

 

c. Two. It may be helpful to know that LCC record a cyber attack as successful if security controls failed or there was interaction with a malicious email, even when the impact to the council or individuals is negligible. A cyber breach does not necessarily mean there was a data breach. Our security incident reporting policy can be found here:  https://www.lincolnshire.gov.uk/council-councillors/security-incident-reporting-policy

 

d. Not Applicable.

 

e. Not Applicable.

Reference number
7755741
Date request received
31 August 2023
Date of decision
21 September 2023