Audit Office Report: On 26 March 2024 the NSW Audit Office tabled an audit on Cyber Security in Local Government, which reinforces the risks of not having an effective cyber security plan in place and calls on all councils to take urgent action [1].
The report highlighted that Councils should improve governance over cyber security risks, assess against the OLG Cyber Security Guidelines (developed by Cyber NSW), take a risk-based approach to improvement plans, and conduct regular testing of their cyber incident response plan.
Cyber Security Risks: Cyber security is a key set of risks that all organisations are facing across the nation. The Australian Cyber Security Center (ACSC) has quantified the cost of a cyber incident for a medium-sized organisation at nearly $100,000 per incident in 2022-23 [2].
Recently, the ACSC provided a series of alerts regarding vulnerabilities in specific technology widely used in Councils and the urgent need to remediate the vulnerability. Such vulnerabilities are being used by attackers at an accelerating rate and, in some cases, within 24 hours of the announcement being made.
The top three cybercrimes reported in 2022-23 were email compromise, business email compromise fraud and online banking fraud, with social engineering a key strategy that criminals use to gain access or manipulate a staff member [3]. These focus on the humans and less on the technology, reinforcing the need to ensure that the cyber security plan includes people, processes and technology.
Cyber Security in Councils: Cyber security is not just an IT problem where technical controls can mitigate the risks. To address the cyber security threats faced daily, a whole-of-organisation response is required. Effective governance, cyber risk management, staff training and awareness, monitoring and incident response, and reporting all need to work in a coordinated framework. The OLG Cyber Security Guideline spans all of these elements and provides a holistic assessment for Councils.
Following an assessment against the OLG Guideline, Councils need to establish a long-term cyber security plan to ensure that all elements are addressed and that maturity across the organisation increases year on year.
Centium and Cyber Security: A number of local councils have engaged Centium to undertake an independent assessment of their cyber security posture against the NSW Office of Local Government Cyber Security Guideline. These assessments, which are a critical first step in a longer journey for Councils in managing their cyber security risks, gave those councils clarity over what cyber security controls are in place and what they still need to implement.
Centium strongly recommends all organisations assess their current cyber security posture, evaluate the effectiveness of current controls and build a comprehensive plan to address gaps and weaknesses. We can undertake an independent assessment and give you a baseline of where you are today https://centium.com.au/contact-us/
1. https://www.audit.nsw.gov.au/our-work/reports/cyber-security-in-local-government
2. Australian Cyber Security Centre. ASD Cyber Threat Report 2022-2023 | Cyber.gov.au. 2023 14/11/23 [cited 2023 29/12/23]; Available from: https://www.cyber.gov.au/about-us/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023
3. Voce I & Morgan A 2023. Cybercrime in Australia 2023. Statistical Report no. 43. Canberra: Australian Institute of Criminology. https://doi.org/10.52922/sr77031
The integration of artificial intelligence (AI) technologies in government funded agencies has garnered considerable attention, with a growing body of work dedicated to safely realising the benefits AI offers. Early initiatives such as Australia’s voluntary AI ethics principles, draw upon the development of Australia’s AI ethics framework consisting of eight principles that organisations can use to:
This effort will be further supported and expanded through the Australian Government’s recently announced AI expert group, which will provide guidance on testing, transparency, and accountability measures for AI in legitimate yet high risk contexts. The group comprises expertise in Indigenous Cultural and Intellectual Property, Law, technology and ethics.
The Australian Government is behind a push to reach 1.2 million tech related jobs by 2030 and is offering a new free course in AI 101 to small and medium business owners. The program covers topics including challenges and risks, common misconceptions, real world applications, and advice from industry experts to start your career in AI.
The 2023 Report from the Australian Government Department of Prime Minister and Cabinet, titled "How might artificial intelligence affect the trustworthiness of public service delivery?" offers valuable insights. Citizens increasingly demand higher standards of care, personalised services, and greater efficiency when interacting with government services. AI holds the potential to revolutionise public service delivery, offering enhanced experiences and outcomes for the community. Current AI applications in the public sector include chatbots, virtual assistants, document and image recognition for border control, fraud detection and data mapping.
AI has the potential to transform how local councils deliver services, enhancing efficiency in areas such as planning applications, rate collection, and aiding in data analysis and cost-preventative maintenance. Data-driven decision-making can assist local councils in making well-informed choices regarding resource distribution, financial planning, and policy development. Advanced sensors and AI-driven algorithms can anticipate maintenance or repair needs for infrastructure components such as roads, bridges, and utility systems.
Emerging evidence suggests that unregulated AI can exacerbate societal disparities. Studies, like a recent examination of AI bias in America, reveal prejudices against marginalised groups, potentially influencing practices and perpetuating endemic biases in employment, education, insurance, and housing sectors. Furthermore, using AI for data collection and analysis raises privacy and security concerns that must be effectively managed. Without proper controls, AI systems may rely on flawed algorithms, making it difficult to track or explain decisions, akin to the issues seen with Robodebt.
In response to these challenges, public agencies must adopt a framework that ensures trustworthy stewardship of AI systems by:
As AI capabilities advance rapidly, public organisations in Australia must position themselves to maximise opportunities for improving government service provision. By adopting a framework for trustworthy stewardship, agencies can mitigate risks and harness the full potential of AI in serving the community.
Centium is an independent assurance and audit firm that focuses on helping clients manage their risks. We partner with Australian state and local government, not-for-profit organisations and private sector clients to provide a complete solution to managing organisational risk, enhancing governance and improving operational performance. We believe that the principles of effective governance and risk management apply to all aspects of managing an organisation, from procurement, to probity to technology and business transformation.
ACS urges action as AI disruption looms | Information Age
Artificial Intelligence Ethics Policy | Digital.NSW and
Mandatory Ethical Principles for the use of AI - Digital.NSW
It’s not uncommon, at the end of a Cyber Audit Cycle, for organisations to be hit with below than expected audit outcomes and maturity levels. At that point, the audit's outcome is locked in, and there is no possible recourse.
This isn’t a good situation for an organisation to be in. A poor cyber audit outcome can have several negative consequences for organisations, including financial penalties, higher operational costs, compromise of confidentiality, integrity and availability of critical assets, and a loss of trust and reputation from clients and the public.
That’s why, when it comes to Cyber security compliance audits, the heavy lifting should not be left to the end.
This can all be avoided with a more proactive approach. In most situations, a timely mock audit can help in identifying shortcomings that, when addressed, can substantially improve an audit outcome.
The mock audit is much like an actual audit, whereby the applied methodologies, standards and recommendations reflect the actual audit. Therefore, it unfurls the enigma of a review by identifying compliance gaps and areas requiring improvement and suggesting corrective actions you need to take to succeed in the audit.
This type of proactive planning has many benefits, such as:
All these benefits enable you to avoid costly fines and penalties, while enhancing stakeholders' trust and reputation in your organisation.
A mock audit is particularly valuable if your organisation has never been examined, as there may be significant gaps and deficiencies that have not been discovered yet. Even if your organisation has already been examined, a mock audit is worth considering as there may have been significant changes in your business, such as new services or other internal and external rules and regulations, since your last audit.
An independent, competent, and qualified third-party consultant will bring a fresh perspective and assist in identifying gaps you might not even know existed.
Centium is an agile management consulting firm that specialises in minimising risk for government organisations. A large part of that is providing independent IT and Cyber Security services that add value and mitigate risks.
We specialise in audit services and can undertake a Cyber Security Mock Audit against your cyber security requirements, such as the NSW Cyber Security Policy, the ACSC Essential 8, NIST, PCI DSS, SOC1/ISAE3402, SOC2 or ISO27001. We can also follow up with a (cost-effective) formal audit within the defined timelines, ensuring higher audit compliance ratings along with significant time and cost savings.
For more information about how this approach can add value to your Organisations' Cyber security efforts, please contact our Director, Cyber & IT, for a no-obligation discussion on 0412 562 797 or scott.thomson@centium.com.au. Alternatively, browse Centium's range of Cyber & IM services.
If you're a government or not-for-profit organisation that has an interest in our services, you can reach out to us at info@centium.com.au to discuss your needs, or to find out more about how our alliance could benefit you.
Our Clients
