Audit Office Report: On 26 March 2024 the NSW Audit Office tabled an audit on Cyber Security in Local Government, which reinforces the risks of not having an effective cyber security plan in place and calls on all councils to take urgent action [1].
The report highlighted that Councils should improve governance over cyber security risks, assess against the OLG Cyber Security Guidelines (developed by Cyber NSW), take a risk-based approach to improvement plans, and conduct regular testing of their cyber incident response plan.
Cyber Security Risks: Cyber security is a key set of risks that all organisations are facing across the nation. The Australian Cyber Security Center (ACSC) has quantified the cost of a cyber incident for a medium-sized organisation at nearly $100,000 per incident in 2022-23 [2].
Recently, the ACSC provided a series of alerts regarding vulnerabilities in specific technology widely used in Councils and the urgent need to remediate the vulnerability. Such vulnerabilities are being used by attackers at an accelerating rate and, in some cases, within 24 hours of the announcement being made.
The top three cybercrimes reported in 2022-23 were email compromise, business email compromise fraud and online banking fraud, with social engineering a key strategy that criminals use to gain access or manipulate a staff member [3]. These focus on the humans and less on the technology, reinforcing the need to ensure that the cyber security plan includes people, processes and technology.
Cyber Security in Councils: Cyber security is not just an IT problem where technical controls can mitigate the risks. To address the cyber security threats faced daily, a whole-of-organisation response is required. Effective governance, cyber risk management, staff training and awareness, monitoring and incident response, and reporting all need to work in a coordinated framework. The OLG Cyber Security Guideline spans all of these elements and provides a holistic assessment for Councils.
Following an assessment against the OLG Guideline, Councils need to establish a long-term cyber security plan to ensure that all elements are addressed and that maturity across the organisation increases year on year.
Centium and Cyber Security: A number of local councils have engaged Centium to undertake an independent assessment of their cyber security posture against the NSW Office of Local Government Cyber Security Guideline. These assessments, which are a critical first step in a longer journey for Councils in managing their cyber security risks, gave those councils clarity over what cyber security controls are in place and what they still need to implement.
Centium strongly recommends all organisations assess their current cyber security posture, evaluate the effectiveness of current controls and build a comprehensive plan to address gaps and weaknesses. We can undertake an independent assessment and give you a baseline of where you are today https://centium.com.au/contact-us/
1. https://www.audit.nsw.gov.au/our-work/reports/cyber-security-in-local-government
2. Australian Cyber Security Centre. ASD Cyber Threat Report 2022-2023 | Cyber.gov.au. 2023 14/11/23 [cited 2023 29/12/23]; Available from: https://www.cyber.gov.au/about-us/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023
3. Voce I & Morgan A 2023. Cybercrime in Australia 2023. Statistical Report no. 43. Canberra: Australian Institute of Criminology. https://doi.org/10.52922/sr77031
Our Clients
