Five local NSW govts repeat offenders in ‘high-risk’ cybersec failings: AG audit

Cyber audit NSW Councils

The NSW state auditor has flagged outdated IT systems and capabilities as ongoing cybersecurity risks for councils, urging laggard local governments to enact cybersecurity controls and formalise their IT policies.

More than one in three councils surveyed, for instance, were found to lack formalised or up-to-date IT policies and procedures.

To minimise cybersecurity risks, NSW councils have been advised to “be alert to the need to update and replace their legacy systems” as well as provide appropriate training and upskilling to ensure staff can safely use those systems.

The report also found that the cybersecurity risks have been exacerbated by recent emergencies, including fire and flood disasters across the state, resulting “in greater and more diverse use of digital technology”.

The NSW Auditor-General’s Report covered the year up to 30 June 2021, examining 126 councils, 13 joint organisation audits, and nine county councils between 2020-21.

On a positive note, the number of overall IT-related findings identified by the audit dropped from 336 to 296 within the year, with 67 per cent identified as either repeat, partial repeat or ongoing findings.

Of these, the vast majority (236 findings) were classified as “moderate”, with six rated “high-risk” and 54 “low risk”.

The number of high-risk and moderate IT findings also declined by 57 per cent and 12 per cent, respectively, while the number of low-risk findings remained unchanged.

Five out of the six high-risk findings, which were identified across six separate councils (with five in regional NSW, and one in the Sydney metro area), were noted by the auditor as repeat offences and associated with gaps found in their information technology access controls.

A new high-risk finding was identified within the Bayside Council (based within Sydney) related to gaps in its new financial system implementation process, with the council being pinged for lacking sufficient documentation of data migration testing (which identifies discrepancies between the source location and destination of migrated data) as well as resuing user access rights (which determines permissions for an individual user to read, write, modify, delete or access a system file) from the previous year.

The Audit Office report confirmed that the most common IT security failings identified across the group were deficiencies in IT policies and procedures, the lack of a cybersecurity framework, and insufficient controls or gaps in user access management processes.

A total of 59 out of 148 audited organisations were found to have either outdated IT policies and procedures or no policy at all.

The auditor noted that a “lack of formal IT policies and procedures may result in inconsistent and inappropriate practices and an increased likelihood of inappropriate access to key systems”.

Moreover, 42 councils were found to lack a ‘periodic use access review’, meaning they did not confirm whether users’ access to key IT systems was appropriate and commensurate with their roles; 73 councils were also found to have insufficient control over their privileged users, meaning they had gaps in their privileged user restrictions or in the monitoring of privileged accounts’ activity logs.

Sufficient cybersecurity frameworks and related internal controls were found not to be in place within 65 councils. This is because they lacked one of the four governance and internal controls: a cybersecurity framework, policy or procedure; a register of cyber incidents; a simulated cyber-attack test; or a cybersecurity training and awareness program.

A 2019 auditor report recommended for the Office of Local Governments (OLG) to develop, by 30 June 2021, a cybersecurity policy to ensure cybersecurity risks over data and IT were managed appropriately and consistently across all councils. The auditor noted that the recommendation has so far not been implemented.

According to this year’s Local Government 2021 report, formal cybersecurity frameworks/policy, which consists of guidelines for the identification, protection, detection, response and recovery of IT systems, were in place within just 80 councils (54 per cent of the audited cohort).

“Poor management of cybersecurity can expose councils to a broad range of risks, including financial loss, reputational damage and data breaches.

“Furthermore, without a formal policy and framework, formal roles and responsibilities, and involvement of those charged with governance, councils are at risk of inappropriate planning and execution of their cybersecurity responses, which may also lead to inefficient use of their cybersecurity budget,” the report said.

Australian councils have become increasing targets for cyber threat actors over recent years. Melbourne’s Stonnington council was last year struck by a suspected cyber-attack causing a “major disruption to its IT services”; in 2019, South Australia’s City of Onkaparinga council was hit by a “high impact”, system-crippling ransomware attack.