The NSW Audit Office recently released its 2022 report on local government and highlighted many areas of improvement required of local governments. The audits revealed that 47% of councils lacked a cyber security plan, leaving their data and assets vulnerable. Additionally, deficiencies were found in crucial areas such as policies, procedures, privileged access management, and internal controls. The report warns of potential consequences, including data destruction, theft, denial of service(s), and the financial impacts of repairing affected systems, networks, or devices. Establishing a solid foundation for cyber security requires implementing controls outlined in the NSW Office of Local Government Cyber Security Guideline, as well as technical controls provided by the Australian Cyber Security Centre and their Essential Eight controls.
The significance of cyber security is increasing as a threat and cannot be underestimated, affecting all organisations, including local government. Data from the Australia Cyber Security Centre indicates that the average cost of a cyber security incident for medium-sized organisations exceeds $80,000 per incident. Safeguarding the confidentiality, integrity, and availability of data and systems is crucial in mitigating both external threats and internal vulnerabilities caused by poor practices and processes. The initial steps to address this issue involve developing a robust cyber security plan and implementing a comprehensive cyber security framework, complete with policies and procedures. These measures help establish clear roles and responsibilities throughout the organisation. Supporting these efforts with regular cyber security training and awareness programs for all staff is essential. Testing incident response plans and conducting simulations of cyber-attacks through techniques like penetration testing and phishing simulations are effective ways of ensuring that plans and playbooks are thorough and well-practiced for when they are really needed.
Over the past two years, Centium has conducted health checks and audits on cyber security for more than a dozen councils. As a result, we have gained valuable insights into the level of maturity of these councils in relation to the Office of Local Governments Cyber Security Guidelines. Through this work, we are able to offer our clients benchmark data, enabling them to better understand their level of maturity in comparison to the guidelines set by the State of NSW. However, it is important to emphasise that the goal should not simply be to achieve the highest level of maturity across the State, but rather to effectively manage the specific risks and threats each Council faces.
We also stress to our clients that building and implementing their cyber security plan is a multi-year journey that requires engagement from all aspects of the organisation. It should not be seen as solely an issue for the IT department or systems. Robust training and awareness programs are necessary to foster a shift change in the culture within councils to identify and manage cyber security risks as part of day-to-day operations.
The approach taken to identify and manage cyber security risks should be consistent with the council’s enterprise risk management framework. Special attention should be given to ensuring that the risk analysis accurately reflects the likelihood and consequences of cyber threats. This may entail a review of their broader risk management framework for some councils. At the very least, it provides an opportunity for councils to refresh their risk registers and ensure they reflect all current and emerging risks.
We look forward to opportunities to work with more councils and assist them in understanding their current cyber security posture. Our expertise can help identify areas where improvement is needed and provide recommendations to enhance your Cyber Security maturity, security and overall resilience. If you would like to explore how we can help your organisation, please contact: Scott Thomson, Director of Cyber & IT at email@example.com.