Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
Cybersecurity in Local Government: What councils should watch out for
Few Local Government Authorities (LGAs) in Australia can boast large IT budgets or in-house cybersecurity specialists – but they still need some way to protect their critical operations and data.
In previous articles, we’ve examined the role cybersecurity plays at the State and Federal Government levels. But what about the over 530-odd councils Australia-wide – around 55% of which are in regional or remote locations?
In 2018, local government employed 194,000 people – which represents nearly 10% of the total public sector. The work they do is critical to Australian residents and local businesses. The pandemic saw many of these employees working from home, which raised new challenges for securing council systems. At the same time, forward-looking councils sped up their cloud migration and digital initiatives, to make it easier and faster to serve their stakeholders remotely.
But time pressures and budget constraints meant that many councils had to rush into digitisation without properly planning for cybersecurity. With cyber threats against government bodies escalating every day, this puts councils in a highly vulnerable position.
The scope of the problem
Based on audits in late 2019, the NSW Auditor General’s Department found that 80% of the state’s 138 councils didn’t have a cybersecurity framework. Overall, it identified 1,947 issues, of which 41% related to IT and 68% of those to access management.
The range of concerns included the lack of IT policies and risk management, shared user accounts, weak passwords, and poor system implementation. Most telling, only 20% of councils had a formal cybersecurity policy or framework, 84% didn’t even budget for cybersecurity and 76% had not given their staff cybersecurity training.
This was despite the release in February 2019 of the NSW Cyber Security Policy as part of the Department of Customer Services’ Beyond Digital Strategy – with requirements including:
“… strengthening cyber security governance, identifying an agency’s most valuable or operationally vital systems or information (“crown jewels”), strengthening cybersecurity controls, developing a cybersecurity culture across all staff, working across government to share security and threat intelligence and a whole of government approach to cyber incident response.”
NSW is just one state – and if the AGD’s 2020 report findings are representative of local authorities across Australia, there is some serious work to be done.
Dangers in the shift to digital and the cloud
Councils naturally prioritise cybersecurity around operational systems where they conduct their core business. Few councils have a large IT budget – which means they have less specialised resources to counter sophisticated cyberattacks. Typically, they rely on their software and/or cloud application vendors to provide cybersecurity for their financial and other mission-critical systems.
However, the data they collect and hold about local ratepayers, residents and businesses can still be at risk – especially when modernising traditional local government IT systems and moving them to the cloud. Data traditionally resided in the on-premises data centre – but now it's no longer held in one place. This creates the need to protect data wherever it resides, often now in hybrid cloud environments. This makes it vulnerable to malicious actors looking to steal confidential information or disrupt critical services.
Another source of cybersecurity vulnerability comes from the increasing numbers of councils rolling out more and more digital initiatives. These are aimed at improving the productivity of their own processes and people – as well as providing a better experience for their stakeholders. The technology supporting them often includes a wide mix of technologies and services. Some digital advances call for records and transactions to be linked across state agencies or even Federal Government systems, or with those operated by council contractors.
This mix of different standards and technologies leaves LGAs open to attack. By way of example, in July 2018, both the Cairns District Council and Townsville City Council lost the personal data of hundreds of residents who had entered promotions when Typeform was exploited. Then in July 2020, Darwin City Council’s MyDarwin voucher scheme was attacked – leading to the leaking of the contact information for thousands of Top Enders.
In incidents such as these, vulnerabilities sneak in via non-core systems, or so-called ‘supply chain attacks’ – where a component of a system has an in-built ‘back door’ as a result of working with third-party systems. These exploits can be difficult to prevent with a low level of in-house security expertise, but partnering with a security provider that has a global perspective and the necessary forward intelligence can greatly help.
As traditional IT systems and operational processes evolve and transform service delivery, councils must work hard to establish trust with their community and take cybersecurity much further than they needed to in the past.
The human factor: Recent statistics
For the first half of 2021, the Office of the Australian Information Commissioner (OAIC) reported 446 reportable data breaches. Fortunately, this was 16% lower than the number of breaches July-December 2020.
However, it is very significant that 30% of these breaches were a result of human error. That’s on top of the 65% which were caused by malicious or criminal attacks – many of which would have been a result of human carelessness or ignorance. Specifically, of the 43% of all data breaches that resulted from cybersecurity incidents, 30% came from phishing, 27% from compromised or stolen credentials and 5% from malware.
Like other levels of government and private enterprise, it is imperative that councils minimise cyber threats to the personal data they hold – as well as the continuity of their operations. So naturally, continuously training their staff to remain alert and suspicious is essential, as well as reducing the chance that cyberthreats will slip through their firewalls and mail servers.
Getting it right
There are there are many ways to better secure your cyber defences. Just addressing three areas can make a drastic improvement to your cybersecurity posture:
Getting access to real-time threat intelligence and mitigation
Protecting your council mailservers – the most likely sources of phishing and malware attacks are via email, because they rely heavily on human error
Informative, engaging cyber training for all your staff – delivered on an ongoing basis wherever they are and whoever they are
While it's easy to assume cybersecurity needs to be high-tech to be effective, the overwhelming majority of attacks rely on users making mistakes to get through. Vigilant users who practice responsible cyber behaviour is one of the most powerful defences in your arsenal. Just by starting with this one element, local councils can dramatically reduce the chances of being caught out by cyber attackers.