Audit Office Report: On 26 March 2024 the NSW Audit Office tabled an audit on Cyber Security in Local Government, which reinforces the risks of not having an effective cyber security plan in place and calls on all councils to take urgent action [1].
The report highlighted that Councils should improve governance over cyber security risks, assess against the OLG Cyber Security Guidelines (developed by Cyber NSW), take a risk-based approach to improvement plans, and conduct regular testing of their cyber incident response plan.
Cyber Security Risks: Cyber security is a key set of risks that all organisations are facing across the nation. The Australian Cyber Security Center (ACSC) has quantified the cost of a cyber incident for a medium-sized organisation at nearly $100,000 per incident in 2022-23 [2].
Recently, the ACSC provided a series of alerts regarding vulnerabilities in specific technology widely used in Councils and the urgent need to remediate the vulnerability. Such vulnerabilities are being used by attackers at an accelerating rate and, in some cases, within 24 hours of the announcement being made.
The top three cybercrimes reported in 2022-23 were email compromise, business email compromise fraud and online banking fraud, with social engineering a key strategy that criminals use to gain access or manipulate a staff member [3]. These focus on the humans and less on the technology, reinforcing the need to ensure that the cyber security plan includes people, processes and technology.
Cyber Security in Councils: Cyber security is not just an IT problem where technical controls can mitigate the risks. To address the cyber security threats faced daily, a whole-of-organisation response is required. Effective governance, cyber risk management, staff training and awareness, monitoring and incident response, and reporting all need to work in a coordinated framework. The OLG Cyber Security Guideline spans all of these elements and provides a holistic assessment for Councils.
Following an assessment against the OLG Guideline, Councils need to establish a long-term cyber security plan to ensure that all elements are addressed and that maturity across the organisation increases year on year.
Centium and Cyber Security: A number of local councils have engaged Centium to undertake an independent assessment of their cyber security posture against the NSW Office of Local Government Cyber Security Guideline. These assessments, which are a critical first step in a longer journey for Councils in managing their cyber security risks, gave those councils clarity over what cyber security controls are in place and what they still need to implement.
Centium strongly recommends all organisations assess their current cyber security posture, evaluate the effectiveness of current controls and build a comprehensive plan to address gaps and weaknesses. We can undertake an independent assessment and give you a baseline of where you are today https://centium.com.au/contact-us/
1. https://www.audit.nsw.gov.au/our-work/reports/cyber-security-in-local-government
2. Australian Cyber Security Centre. ASD Cyber Threat Report 2022-2023 | Cyber.gov.au. 2023 14/11/23 [cited 2023 29/12/23]; Available from: https://www.cyber.gov.au/about-us/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023
3. Voce I & Morgan A 2023. Cybercrime in Australia 2023. Statistical Report no. 43. Canberra: Australian Institute of Criminology. https://doi.org/10.52922/sr77031
Advice from Scott Thomson Director Cyber & IM at Centium.
Many of us are careful in all our online activities, including finding a bargain when shopping online, but many of our family and friends may not be as informed or careful when undertaking these activities. This risk increases when they are motivated to find the ‘best deal’ or get the ‘best present’ for the holiday season.
Unfortunately, many of our family and friends are the perfect target for cyber criminals who use the urgency of the ‘sales’ season to get access to bank accounts, credit card details and commit other online crimes.
As we gather together over the upcoming holiday season, it is a good time to help our families and friends understand the threats that are out there, how easy it is to be a victim and provide some steps that they can take to decrease the risk of them becoming the next victim of these criminals.
The Australian Cyber Security Centre has provided the following great advice that we can use to check our own habits against and also share these tips with others to help them be more resilient to cybercrimes through the 2-minute quiz that is available on the ACSC page linked below.
Shop using secure devices
Make sure the devices you use for online shopping have the latest updates installed and are connected to a trusted network. For example, use your home Wi-Fi or (4G/5G) cellular rather than public Wi-Fi.
Protect your payment information and accounts
Be careful saving payment information on an online shopping account. If you do save payment information to an account, you should turn on multi-factor authentication (MFA) to protect it. Where this is not possible, set a long, complex and unique passphrase as the account’s password to help keep cyber criminals out. You could also use a password manager to generate and store passwords for you.
Use trusted sellers
Research online shopping websites before you buy and stick to well-known, trusted businesses.
Know the warning signs
Extremely low prices, payments through direct bank deposits, and online stores that are very new or have limited information about delivery, return and privacy policies can all be signs of a scam.
Use secure payment methods
Never pay by direct bank deposits, money transfers or digital currencies such as Bitcoin, because it is rare to recover money sent this way. You should pay by PayPal or with your credit card. You may want to set up a second card with a low credit limit and keep it specifically for online shopping. This will help minimise financial losses if your card details are compromised after shopping online.
Don’t engage, and report suspicious contact
Be aware of any strange phone calls, messages or emails you get about online orders. It could be someone trying to get you to share your personal or financial details. If someone contacts you about an order you don’t remember placing, it could be a scam. Stop contact and reach out to the store using the details on their official website to check.
Watch out for fake delivery scams
Don’t let your guard down while you’re waiting for your goods to arrive. Cybercriminals can send fake parcel delivery notifications with links that could trick you into downloading malware or giving away your personal details. If you receive such a message, do not click on the link. Delete the message immediately. You can contact the seller or the courier company using the details on their official website. Scamwatch has examples of what these fraudulent text messages may look like.
Cyber security, data protection, data privacy and availability. These are all highly topical matters across all industry sectors and Not For Profits (NFPs) are certainly no exception.
NFPs hold as much, and sometimes more, identifiable personal information than other sectors. Take for example donor information, grant funding data, research information and additional sensitivities for health related NFPs. NFPs that accept donations via credit cards may also be subject to PCI DSS security obligations. Beyond just data confidentiality, the integrity (quality and accuracy) and availability of information are also of utmost importance to the successful operation of the NFP and to help preserve the reputation and brand-value of the entity.
Often, NFPs receive funding from State and Commonwealth governments including the COAG. A common condition of those funding agreements is that the NFP must ensure appropriate controls over data security and privacy. Depending on the NFP, the agreement may also require compliance with the funding agency’s security standards such as the Australian Signals Directorate’s Information Security Manual and/or the ISO 27001 standard. Often, the funding agency will require an independent review of the NFP’s security and privacy controls.
Centium has undertaken a number of such reviews for large and small NFPs. We understand and appreciate the unique challenges faced by NFPss including the need to balance its compliance obligations with its ability to deliver high quality outcomes all within very tight budgets. Other unique challenges include the involvement of volunteers who, whilst not employees of the NFP, may still require access to sensitive information to undertake their work. Having worked with many NFPs over decades, we are able to leverage good practices observed across not only NFPs but also other industry sectors. We understand NFPs’ compliance overheads but, more importantly, understand how to meet those requirements in an economical and practical way. You don’t always need a $50,000+ piece of kit to keep your data secure.
If you’d like to learn more about Centium’s data privacy and security assurance and improvement services, and how we’ve helped other NFPs meet their compliance needs, contact any of our Senior Partners for an informal chat. Beyond data security and privacy, we’ve also assisted NFPs in areas such as Customer Experience Management, business continuity and resilience, fraud risk management, investigations and training. Leverage Centium’s decades of experience and learnings so you don’t have to re-invent any wheels. centium.com.au
Our Clients
