NSW councils not taking cybersecurity seriously

After three major attacks across Australian telecommunications, health, and financial services, a new report may answer why Australian organisations and governments are being breached. The latest NSW Auditor General Financial Audit Local Government 2022 report found that 63 councils (47% of all NSW councils) lacked at least one of the basic governance and internal controls to manage cybersecurity. This includes cybersecurity frameworks, policies, and procedures; registers of cyber incidents; simulated cyberattack testing (penetration testing); and cybersecurity training and awareness programs.

A recent PwC report confirmed that Australia remained an attractive target in 2022. Espionage, ransomware, and attacks on critical infrastructure presented significant threats to Australian organisations and institutions. The motivations of threat actors were the same: They seek information, money, and disruption.

Following cybersecurity guidance is optional

The main problem is that until the Cyber Security Guidelines for NSW Local Government were published in December 2022 by the Office of Local Government (OLG), there were no such guidelines for councils to follow. Worse yet, the use of the guidelines is not mandatory only “strongly recommended” with no requirement to report maturity scores to the OLG or to Cyber Security NSW.

Since the guidelines were released after the 2021-22 financial audit period, their impact is yet to be seen, but there is a concern that making it optional can put councils at risk. “Given compliance with the guidelines released by OLG is not mandatory, there is an increased risk that councils may not develop an appropriate cybersecurity plan, which may prevent them from implementing key cybersecurity controls. With no timeframes set for councils to create a cybersecurity plan or reporting requirements to the OLG, this further increase the risk that councils may have delays in the implementation of their cybersecurity controls,” read the report.

Some points remain concerning. Sixty-nine councils have no formal cybersecurity policy and have not communicated cyber risk with those in charge of governance. Both were up by 1% compared to the previous reporting period.

A February 2023 report from the Audit Office concluded that Cyber Security NSW has no formal authority to mandate cybersecurity requirements on local councils. The OLG, as the regulator, has the policy, legislative, investigative, and program focus to regulate local councils, and is responsible for strengthening the sustainability, performance, integrity, transparency, and accountability of the local government sector.

Some cybersecurity improvements seen for NSW councils

Before the OLG guidelines had been published, some councils had started developing their cybersecurity plans adopting guidance from Cyber Security NSW, the Australian Cyber Security Centre (ACSC), International Organization for Standardization (ISO standards), the US National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI DSS).

Some of the improvements identified were quite significant. A total of 34% of councils were yet to conduct cybersecurity training and awareness, an improvement from the previous financial year of 51%. Other improvements include only 30% of councils without a register of incidents, down from 40%. More councils now identify cybersecurity as a risk and more councils have formal cybersecurity roles and responsibilities established.

Councils need to prioritise and create a cybersecurity plan to ensure cybersecurity risks over key data and IT assets are appropriately managed and key data is safeguarded, recommended the report. Councils should refer to the Cyber Security Guidelines for NSW Local Government released by the OLG.

In May, another Audit Office report revealed that two Australian universities had reported financial loss from cyber incidents. Different from councils, most universities have continuously assessed their cybersecurity controls. However, 31% of entities relying on third-party services providers did not require their providers to notify them of cyber incidents.