Cyber security in local government
Local government is not unique in facing increasing cyber security risks, but as local government’s operations become increasingly digital, the need to protect the personal and sensitive information of communities, staff and stakeholders is now a top priority. The latest cyber incident events in 2022 have confirmed the need to apply critical thinking towards the cyber security resilience of local government.
We examine why and how local government can focus on building robustness into cyber security governance and take a holistic approach to mitigating cyber risks and exposure to ultimately achieving cyber security resilience.
The local government landscape
Australian government organisations are constantly targeted in cyber attacks aimed at obtaining information and disrupting essential services. According to a recent survey, the Australian Cyber Security Centre (ACSC) received over 76,000 reports of cyber security incidents in 2021-22, an increase of nearly 13 percent from the previous year1.
Local governments hold significant amounts of sensitive and valuable data about their community and staff that must be held securely. Greater digitisation of local government services, particularly in light of the need to respond rapidly to the COVID-19 pandemic, has further heightened the volume, breadth and sensitivity of public data that local governments hold. Coupled with the current local cyber threat environment it is clear that further measures need to be taken.
It is of utmost importance to local governments that their data management systems respect and protect the privacy of their community and staff. A combination of rapid digitalisation, budget constraints and limited in-house capability has created cyber gaps which can increase the risk of theft of community information or disruption to essential services. This creates reputational and financial risks for local governments and most importantly operational disruption risks that can affect the lives of citizens.
In 2021, the Auditor General report on local government organisations found significant flaws in their approach to cyber security2. Clear areas of weakness were identified relating to:
— having a defined cyber security strategy or framework
— adequately funding cyber security
— providing relevant training and awareness programs
— identifying and reporting cyber risks to executive and council, and
— implementing basic IT controls which resulted in poor cyber security posture.
Few local governments have a substantial IT budget, which means they have fewer specialised resources to safeguard against sophisticated attacks. All local governments give attention to development of critical infrastructure assets such as sewage, water, utilities, playgrounds, schools, and community care facilities while attention for privacy and security of sensitive information often has little to no funding, despite underpinning all strategic and operational areas. Since many of the basic cyber security controls are not in place, millions of community and staff members’ data will be left exposed if not fully secured. The other issue is that IT budgets are currently used for cyber security needs exposing conflicting priorities between the two functions in local government.
Defining a cyber security policy is an important first step in improving the consistency and foundational elements of cyber security in local governments. Local governments have a moral and ethical obligation to protect the information of those who they represent.
Understanding councils' cyber security risk profile
With only limited explicit policies, procedures and controls in place, local councils are extremely vulnerable in the face of the daily rise in cyber threats. The community and staff expect their personal information is secure, thus it is crucial for local governments to protect it against unprecedented cyber threats.
Local councils are being targeted by ransomware and other phishing cyber threats in an intention of service disruption and stealing valuable information for monetary gain. In Australia, there have been several well-publicised attacks on government institutions.
For example, a Victorian local council in August 2021 was attacked, forcing the council to disable many online services, including online payments, the ePlanning system and its call centre for over two weeks. It was forced to operate under ‘manual processes’ during this time. Also, a city council in South Australia was hit by a ransomware attack in December 2021 resulting in encryption of its servers, which consequently caused substantial service disruption.
It is evident that local governments are being increasingly targeted for cyber attacks, which places an imperative on local governments to act quickly to address the threats in order to maintain operations and reduce the possibility that sensitive information will be made public or their operations disrupted.
Critical infrastructure is another vital aspect that needs to be considered in a local government context. The Security of Critical Infrastructure Act3 is intended to improve the current framework for managing risks relating to critical infrastructure by adding more positive security obligations for critical infrastructure assets. This includes:
- a risk management program, to be delivered through sector-specific requirements and mandatory cyber incident reporting
- enhanced cyber security obligations for assets of national significance, and
- government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks.
While the legislation does not currently cover local government entities, this is an example of best practice requirements and some of the foundational elements of these requirements should be considered when thinking about critical infrastructure in a local government context.
Keeping sensitive data protected
To have a foolproof secure solution, the big issue that must be addressed is having a robust systemic approach in place to manage, review and ensure cyber security resilience within the IT systems of the local government as well as across people and processes. The following key elements need to be executed by local governments to make sure adequate cyber security measures are put in place.
An important step will be creating and having regular reviews of IT policies and procedures as well as tracking updates of these.
Approaching the data layer with its relevant cyber objectives around the confidentiality, integrity and availability of the data within the council will be key. The first step here is to understand the data that the council holds and the sensitivity and confidentiality requirements of it to inform further next steps.
Having appropriate access management including rationalising and applying Privileged Access Management on administrator access and beyond to ensure that the appropriate staff members have the appropriate access needed for them to perform their job.
Designing and implementing cyber security controls. To include data and other information assets classification. This exercise will assist with determining the ‘crown jewels’ the local government entity wants to protect and where the prioritisation of investment should occur.
Good governance (accountability mechanisms, financial risk management and fraud prevention) is vital to provide the appropriate level of oversight and promote public confidence and satisfaction in local government operations.
Cyber security culture uplift, and not only training and awareness programs for local government employees, will be essential to identify potential cyber risks and put procedures in place to respond effectively to cyber attacks while empowering employees to know their responsibility with regards to cyber security. The training and awareness to back up the cyber culture journey will have to be appropriate to the roles and responsibilities of the employees.
We would be more than happy to work with you to help you strengthen your local council's cyber resilience. This can include a workshop with key stakeholders to understand your progress against the above key areas of focus, and an analysis of the maturity of your local government against peers. Just get in touch below.