The latest NSW Auditor General Financial Audit Local Government 2022 report found that 63 councils (47 per cent of all NSW councils) lacked at least one of the basic governance and internal controls to manage cybersecurity.
This includes cybersecurity frameworks, policies, and procedures; registers of cyber incidents; simulated cyber attack testing (penetration testing); and cybersecurity training and awareness programs.
A recent PwC report confirmed that Australia remained an attractive target in 2022. Espionage, ransomware, and attacks on critical infrastructure presented significant threats to Australian organisations and institutions. The motivations of threat actors were the same: They seek information, money, and disruption.
Following cybersecurity guidance is optional
The main problem is that until the Cyber Security Guidelines for NSW Local Government were published in December 2022 by the Office of Local Government (OLG), there were no such guidelines for councils to follow. Worse yet, the use of the guidelines is not mandatory only “strongly recommended” with no requirement to report maturity scores to the OLG or to Cyber Security NSW.
Since the guidelines were released after the 2021-22 financial audit period, their impact is yet to be seen, but there is a concern that making it optional can put councils at risk. “Given compliance with the guidelines released by OLG is not mandatory, there is an increased risk that councils may not develop an appropriate cybersecurity plan, which may prevent them from implementing key cybersecurity controls.
With no timeframes set for councils to create a cyber security plan or reporting requirements to the OLG, this further increases the risk that councils may have delays in the implementation of their cyber security controls,” read the report.
Some points remain concerning. Sixty-nine councils have no formal cyber security policy and have not communicated cyber risk with those in charge of governance. Both were up by 1 per cent compared to the previous reporting period.
A February 2023 report from the Audit Office concluded that Cyber Security NSW has no formal authority to mandate cybersecurity requirements on local councils.
The OLG, as the regulator, has the policy, legislative, investigative, and program focus to regulate local councils and is responsible for strengthening the sustainability, performance, integrity, transparency, and accountability of the local government sector.
Some cybersecurity improvements seen for NSW councils
Before the OLG guidelines had been published, some councils had started developing their cyber security plans adopting guidance from Cyber Security NSW, the Australian Cyber Security Centre (ACSC), the International Organization for Standardisation (ISO standards), the US National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI DSS).
Some of the improvements identified were quite significant. A total of 34 per cent of councils were yet to conduct cybersecurity training and awareness, an improvement from the previous financial year of 51 per cent.
Other improvements include only 30 per cent of councils without a register of incidents, down from 40 per cent. More councils now identify cyber security as a risk and more councils have formal cybersecurity roles and responsibilities established.
Councils need to prioritise and create a cybersecurity plan to ensure cybersecurity risks over key data and IT assets are appropriately managed and key data is safeguarded, recommended the report. Councils should refer to the Cyber Security Guidelines for NSW Local Government released by the OLG.
In May, another Audit Office report revealed that two Australian universities had reported financial losses from cyber incidents.
Different from councils, most universities have continuously assessed their cybersecurity controls. However, 31 per cent of entities relying on third-party service providers did not require their providers to notify them of cyber incidents.