Local government is not unique in facing increasing cyber security risks, but as local government’s operations become increasingly digital, the need to protect the personal and sensitive information of communities, staff and stakeholders is now a top priority. The latest cyber incident events in 2022 have confirmed the need to apply critical thinking towards the cyber security resilience of local government.
We examine why and how local government can focus on building robustness into cyber security governance and take a holistic approach to mitigating cyber risks and exposure to ultimately achieving cyber security resilience.
The local government landscape
Australian government organisations are constantly targeted in cyber attacks aimed at obtaining information and disrupting essential services. According to a recent survey, the Australian Cyber Security Centre (ACSC) received over 76,000 reports of cyber security incidents in 2021-22, an increase of nearly 13 percent from the previous year1.
Local governments hold significant amounts of sensitive and valuable data about their community and staff that must be held securely. Greater digitisation of local government services, particularly in light of the need to respond rapidly to the COVID-19 pandemic, has further heightened the volume, breadth and sensitivity of public data that local governments hold. Coupled with the current local cyber threat environment it is clear that further measures need to be taken.
It is of utmost importance to local governments that their data management systems respect and protect the privacy of their community and staff. A combination of rapid digitalisation, budget constraints and limited in-house capability has created cyber gaps which can increase the risk of theft of community information or disruption to essential services. This creates reputational and financial risks for local governments and most importantly operational disruption risks that can affect the lives of citizens.
In 2021, the Auditor General report on local government organisations found significant flaws in their approach to cyber security2. Clear areas of weakness were identified relating to:
- having a defined cyber security strategy or framework
- adequately funding cyber security
- providing relevant training and awareness programs
- identifying and reporting cyber risks to executive and council
- implementing basic IT controls which resulted in poor cyber security posture.
Few local governments have a substantial IT budget, which means they have fewer specialised resources to safeguard against sophisticated attacks. All local governments give attention to development of critical infrastructure assets such as sewage, water, utilities, playgrounds, schools, and community care facilities while attention for privacy and security of sensitive information often has little to no funding, despite underpinning all strategic and operational areas. Since many of the basic cyber security controls are not in place, millions of community and staff members’ data will be left exposed if not fully secured. The other issue is that IT budgets are currently used for cyber security needs exposing conflicting priorities between the two functions in local government.
Defining a cyber security policy is an important first step in improving the consistency and foundational elements of cyber security in local governments. Local governments have a moral and ethical obligation to protect the information of those who they represent.
Understanding councils' cyber security risk profile
With only limited explicit policies, procedures and controls in place, local councils are extremely vulnerable in the face of the daily rise in cyber threats. The community and staff expect their personal information is secure, thus it is crucial for local governments to protect it against unprecedented cyber threats.
Local councils are being targeted by ransomware and other phishing cyber threats in an intention of service disruption and stealing valuable information for monetary gain. In Australia, there have been several well-publicised attacks on government institutions.
For example, a Victorian local council in August 2021 was attacked, forcing the council to disable many online services, including online payments, the ePlanning system and its call centre for over two weeks. It was forced to operate under ‘manual processes’ during this time. Also, a city council in South Australia was hit by a ransomware attack in December 2021 resulting in encryption of its servers, which consequently caused substantial service disruption.
It is evident that local governments are being increasingly targeted for cyber attacks, which places an imperative on local governments to act quickly to address the threats in order to maintain operations and reduce the possibility that sensitive information will be made public or their operations disrupted.
Critical infrastructure is another vital aspect that needs to be considered in a local government context. The Security of Critical Infrastructure Act3 is intended to improve the current framework for managing risks relating to critical infrastructure by adding more positive security obligations for critical infrastructure assets. This includes:
- a risk management program, to be delivered through sector-specific requirements and mandatory cyber incident reporting
- enhanced cyber security obligations for assets of national significance, and
- government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks.
While the legislation does not currently cover local government entities, this is an example of best practice requirements and some of the foundational elements of these requirements should be considered when thinking about critical infrastructure in a local government context.
Keeping sensitive data protected
To have a foolproof secure solution, the big issue that must be addressed is having a robust systemic approach in place to manage, review and ensure cyber security resilience within the IT systems of the local government as well as across people and processes. The following key elements need to be executed by local governments to make sure adequate cyber security measures are put in place.
Get in touch
We would be more than happy to work with you to help you strengthen your local council's cyber resilience. This can include a workshop with key stakeholders to understand your progress against the above key areas of focus, and an analysis of the maturity of your local government against peers.
