Almost half of NSW councils do not have a formal cybersecurity plan in place and are failing to share cyber risks with those in charge of governance. Credit: GaudiLab / Shutterstock After three major attacks across Australian telecommunications, health, and financial services, a new report may answer why Australian organisations and governments are being breached. The latest NSW Auditor General Financial Audit Local Government 2022 report found that 63 councils (47% of all NSW councils) lacked at least one of the basic governance and internal controls to manage cybersecurity. This includes cybersecurity frameworks, policies, and procedures; registers of cyber incidents; simulated cyberattack testing (penetration testing); and cybersecurity training and awareness programs.A recent PwC report confirmed that Australia remained an attractive target in 2022. Espionage, ransomware, and attacks on critical infrastructure presented significant threats to Australian organisations and institutions. The motivations of threat actors were the same: They seek information, money, and disruption.Following cybersecurity guidance is optionalThe main problem is that until the Cyber Security Guidelines for NSW Local Government were published in December 2022 by the Office of Local Government (OLG), there were no such guidelines for councils to follow. Worse yet, the use of the guidelines is not mandatory only “strongly recommended” with no requirement to report maturity scores to the OLG or to Cyber Security NSW.Since the guidelines were released after the 2021-22 financial audit period, their impact is yet to be seen, but there is a concern that making it optional can put councils at risk. “Given compliance with the guidelines released by OLG is not mandatory, there is an increased risk that councils may not develop an appropriate cybersecurity plan, which may prevent them from implementing key cybersecurity controls. With no timeframes set for councils to create a cybersecurity plan or reporting requirements to the OLG, this further increase the risk that councils may have delays in the implementation of their cybersecurity controls,” read the report. Some points remain concerning. Sixty-nine councils have no formal cybersecurity policy and have not communicated cyber risk with those in charge of governance. Both were up by 1% compared to the previous reporting period.A February 2023 report from the Audit Office concluded that Cyber Security NSW has no formal authority to mandate cybersecurity requirements on local councils. The OLG, as the regulator, has the policy, legislative, investigative, and program focus to regulate local councils, and is responsible for strengthening the sustainability, performance, integrity, transparency, and accountability of the local government sector. Some cybersecurity improvements seen for NSW councilsBefore the OLG guidelines had been published, some councils had started developing their cybersecurity plans adopting guidance from Cyber Security NSW, the Australian Cyber Security Centre (ACSC), International Organization for Standardization (ISO standards), the US National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI DSS).Some of the improvements identified were quite significant. A total of 34% of councils were yet to conduct cybersecurity training and awareness, an improvement from the previous financial year of 51%. Other improvements include only 30% of councils without a register of incidents, down from 40%. More councils now identify cybersecurity as a risk and more councils have formal cybersecurity roles and responsibilities established.Councils need to prioritise and create a cybersecurity plan to ensure cybersecurity risks over key data and IT assets are appropriately managed and key data is safeguarded, recommended the report. Councils should refer to the Cyber Security Guidelines for NSW Local Government released by the OLG.In May, another Audit Office report revealed that two Australian universities had reported financial loss from cyber incidents. Different from councils, most universities have continuously assessed their cybersecurity controls. However, 31% of entities relying on third-party services providers did not require their providers to notify them of cyber incidents. Related content brandpost Shifting security left: DevSecOps meets virtualization By Anthony Ricco, CMO of Corellium. 01 Jul 2023 4 mins Security news analysis Attackers add hacked servers to commercial proxy networks for profit Proxyjacking allows attackers to sell unknowing victims' unused network bandwidth. By Lucian Constantin 30 Jun 2023 4 mins Cybercrime news Command-and-control framework PhonyC2 attributed to Iran’s Muddywater group PhonyC2 was used to exploit the log4j vulnerability in the Israeli software SysAid, the attack against Israel’s Technion institute, and the ongoing attack against the PaperCut print management software. By Apurva Venkat 30 Jun 2023 4 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news First state-sponsored cyberattack against UK government revealed two decades later Rare insight marks the 20th anniversary of a state-backed malware attack on a UK government department. By Michael Hill 30 Jun 2023 3 mins Cyberattacks Government Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe