Vulnerable New South Wales local councils are “not effectively” managing cyber security risks, the Audit Office of NSW has warned, after a review identified “unmitigated risks to the security of information and assets” due to significant gaps in the councils’ cyber security capabilities.

The Cyber Security in Local Government audit, which reviewed risk management and cyber security operational processes at three unnamed state councils, identified a laundry list of shortcomings – including finding that none of the reviewed local governments have up-to-date plans and processes to enable them to detect, respond to, and recover from cyber incidents.

None of the councils had assessed the business value of their information and systems to help prioritise cyber security efforts, and none had assigned cyber security responsibilities for their core systems.

Just one of the three councils had a formal plan to improve cyber security, while none were effectively managing third-party cyber security risks – an often devastating blind spot that has seen organisations like Latitude Financial Services, Medibank, British Airways, and many healthcare providers compromised when key partners and suppliers were hit.

The three audited councils “are not effectively identifying and managing cyber security risks,” the audit report concluded, warning that “as a result, councils’ information and systems are exposed to significant risks, which could have consequences for their communities and infrastructure.”

“Poor management of cyber security can lead to consequences including theft of information or money, service interruptions, costs of repairing affected systems, and reputational damage.”

Recent Australian victims, including Central Coast Council and Woollahra Council, have in the past month been joined by the Florida cities of St Cloud, Pensacola, Jacksonville Beach; local governments in Oakley, California and Butler County, Pennsylvania; and the UK’s Leicester City Council.

All have suffered damage including compromises of citizens’ personal data and interrupted phone services, payment portals, municipal services, waste collection and other service bookings at a broad range of local governments, and more.

Recognising that security deficiencies have exposed the three councils – and, by extension, the state’s other 125 local councils – the report identified five priority recommendations for all councils to undertake.

These include integrating the assessment and monitoring of cyber security risks into corporate governance activities and processes; completing self assessments against the requirements of the Cyber Security Guidelines – Local Government; and a “structured program of activities” and gap analysis to improve cyber security maturity.

Councils must also develop cyber security strategies to protect their data, the report advised, including building a catalogue of all council information systems; conducting a risk analysis shaped by the business value of that information; undertaking regular training and awareness activities; and developing, implementing, and testing cyber incident response plans.

Cyber security imperative fails to resonate

It’s far from the first time councils have been warned over laissez-faire cyber security practices: last year, a Victorian Auditor-General’s Office (VAGO) audit found a “significant rise” in poor IT security controls, while a 2021 Audit Office of NSW review found that 58 councils had yet to implement even basic governance and internal controls for cyber security.

New state requirements aim to change that – with all NSW councils required to have a risk management framework and an internal audit function by 1 July – although even with this change coming, published Office of Local Government guidelines only mention information security once.

Given that many councillors and council executives have previously run small local businesses, it is unsurprising that many of the identified challenges echo the findings of a new CyberWardens survey that found 4 in ten small businesses have no confidence in their ability to protect against a cyber attack.

Just half protect financial, cloud, social media, and email accounts using multi factor authentication (MFA) while a similar percentage reported backing up their systems daily, ensuring they don’t store passwords in a document for easy access by team members, and having an IT expert harden devices to improve security.

Yet only 38 per cent said they train staff about cyber security risk and just six in ten said that each employee has their own login and password – meaning the remainder, particularly in companies with casualised workforces, are sharing passwords that can easily become fodder for ‘credential stuffing’ attacks.