Centium has recently undertaken cyber security health check assessments for six NSW Local Councils, shining a light on the common gaps many of them have.
These gaps were identified against the draft OLG Cyber Security Guideline, but many of them are simply better practice.
Despite the pressure to render more and more services digitally, many Councils have been on the back foot with regards to cyber security due to the onset of the pandemic and limited budgets. This can present challenges especially when it comes to securing Council systems, customer data and preventing business disruption.
That being said, the increasing number and impact of cyber-attacks that have been reported in Australia and globally has put many Councils on high alert as they try to improve their security.
In July 2021, Cyber Security NSW released a draft Cyber Security Guideline for Local Councils (including the Essential Eight) via the Office of Local Government. The guideline's objective is to assist Councils in improving their cyber security practices and not enforcing compliance. This gives Councils more time to strengthen their cyber security and raise their maturity levels to be in line with known better practices.
Centium was recently tasked by six NSW Councils to review their cyber security maturity in line with this draft guideline. In the article below, we share our learnings from these health checks to help other Councils better design and implement cyber security controls.
1. Poorly outlined roles, responsibilities and plans
Most Councils already have some cyber security controls in place. However, our health checks found that subject Councils shared common gaps in their cyber security controls:
Councils are yet to clearly define the cyber security roles and responsibilities of the General Manager/Chief Executive Officer, Risk Manager, Chief Information Security Officer (CISO), Chief Information Officer (CIO), and/or Information Security Manager.
This affects Council's entire cyber security plans and actions from the top down. In fact, we saw this play out in a lack of approved cyber security plans within several Councils. With no plan or strategy in place, Councils cannot improve their cyber security in both the short- and long-term.
2. Lack of governance at executive level
Despite the requirement that the General Manager or CEO be accountable for cyber security, many Councils that have governance committees with executive presence only discuss the cyber security aspects on an ad-hoc basis.
Councils often forget that Operational Technology (OT), such as video surveillance and building management systems using automated or remotely controlled or monitored assets, should be governed…but in most cases they are not. This significantly increases risks when considering the confidential information & data that these systems and technology may contain.
3. Cyber security risk assessments are not conducted well
Some Councils had a form of risk assessment. However, many such risk assessments didn't meet the specific requirements of their enterprise risk management standard, nor was the methodology documented along with the criteria for accepting risk.
This leaves many Councils vulnerable to developing blind spots and unintentionally their risks.
4. There are opportunities to improve cyber security awareness and culture
It is the responsibility of every person in Council to avoid actions that invite cyber security breaches – however this isn't always communicated to staff. Outside of the IT department, our health checks found a lack of proactive culture and education regarding cyber security.
Councils cannot hope to reduce their risks if their staff and contractors don't know how to.
5. Sensitive or classified information is too accessible
While users and staff need access to sensitive or classified information or systems, many Councils are not managing this proactively or effectively. You only have to check the media to find instances of ex-employees with grudges compromising systems and data - Councils, too, need to be aware of these risks.
Our health checks observed a lack of access control policy, irregular removal and auditing of privileges, ad-hoc reviews of access rights, access not being removed within a defined period, and a lack of documentation in managing user access.
6. No ISMS in place
Councils are expected to implement an Information Security Management System (ISMS), Cyber Security Management System (CSMS) or Cyber Security Framework (CSF) compliant with, or modelled on, one or more recognised ICT, OT or IoT standards. This ensures that Councils can protect their assets and information from threats and vulnerabilities.
This is a substantial commitment for Councils but essential in ensuring that information security policies and procedures are in place, 'crown jewels' are identified, and plans are in place to manage cyber security incidents.
7. Cyber security considerations are not built into procurement
Many Councils are yet to embed cyber security requirements into procurement and the early stages of projects. In addition, many Councils are yet to ensure that new systems and/or enhancements include audit trails and activity logging processes to assess data accuracy and integrity.
This means that Councils are at risk of giving systems with hidden threats access to their valuable data and assets.
8. Limited current cyber incident response plan and testing
While many Councils have some sort of plan in place to prevent incidents, most do not have any formal procedures to respond to, monitor, and reports events. This is especially concerning when Councils are required to report incidents to the CISO and Cyber Security NSW.
And for the Councils that do have plans in place, none have actually tested their effectiveness. This leaves Councils with unknown gaps in their responses – and no Council wants these gaps when an event does occur.
Councils also need to deploy monitoring processes and tools for adequate incident identification and response. But we've observed that many Councils only have manual monitoring without automated tools or alerts – which proves no challenge for the sophisticated and high-tech threats of today.
9. Not sharing information on security threats
Councils are expected to share information on security threats and intelligence with Cyber Security NSW and cooperate across NSW Local Government and NSW Government to enable management of state-wide cyber risk.
But we found that many Councils aren't doing this, or when they are they only share information and intelligence within their own Council. Commonly, this is because they lack formal processes as to what should be shared and when.
Similarly, most do not have protocols for receiving and acting on information and intelligence received from Cyber Security NSW.
All stakeholders, including the Audit, Risk and Improvement Committee, recognised that seeking assurance that cyber risk was being effectively managed was a high priority for inclusion in this year's internal audit plan.
Centium was engaged, based upon their understanding of the local government context to share their knowledge and experiences.
The team adopted a practical approach and looked at cyber risk from not just an IT perspective but also considered operational aspects such as third-party management, training, and procurement, thus raising awareness that there are many touch points where a cyber incident could impact Council's operations.
The cyber review also complemented the recommendations made from other internal audits that had been completed throughout the year, such as privacy and information awareness, procurement and contract management.
The finished report included a comparative score for those that wanted to benchmark their progress against others. However, more importantly there was acknowledgement of the positive practices that were already in place.
Each of the 25 requirements detailed in the guidelines were assessed by the Centium team that was supported by a rationale for the assessment, the priority that the tasks should be given along with practical recommendations. This approach provided management with a roadmap for strengthening their cyber security framework and an understanding of what areas should be prioritised. This approach was well received by all stakeholders.
The final report also provided a detailed action plan to enable the Internal Auditor to validate the completion of actions and provide regular reports to management and the Audit, Risk and Improvement Committee into the future.
While the OLG's guidelines have yet to be finalised, it is vital to start complying with the Guideline now to both protect your Council and prepare for the eventuality of it becoming policy.
The above common gaps can seem daunting to identify and tackle in your systems, but a thorough health check with recommendations from Centium can put you on the right track. In our previous health checks, we were able to identify multiple quick wins for Councils to implement and give them the breathing space required to deploy long-term changes.
Please feel free to contact our Director Penny Corkill for a no-obligation discussion on 0409 251 011 or email@example.com. Alternatively, browse Centium’s range of related services: Cyber, IT & Business Continuity.