NSW Audit Office uncovers persistent IT security failings in local govt systems, but positive gains made on previous audit

Security Audit Local Government NSW

The NSW state auditor has flagged 14 high-risk issues within councils’ IT systems, 10 of which remain unresolved from the previous year’s audit.

Among the most egregious IT security failures uncovered in the audit, which covers the 2019-20 reporting period, include a council in regional NSW that was found to have no IT policies or procedures for security, change management, backup, storage and retrieval, business continuity and disaster recovery planning.

Newcastle City Council, the second-largest local government area outside of Greater Sydney (representing more than 160,000 residents), was similarly found to have no formal IT policies and procedures in place for key security provisions including access management, incident management, and cybersecurity.

The most common areas of concern reported related to deficiencies in IT policies and procedures (with 53 councils found not to be reviewing changes to key data [for example, employee and creditor details] in IT systems), insufficient cybersecurity frameworks, and control failures and gaps in user access management processes (with 68 councils not properly monitoring privileged users’ activity, and 58 councils found to be lacking appropriate cybersecurity controls).

Despite security missteps identified, overall NSW local governments saw a marked improvement in their IT security management practices over the last year, with the audit showing a 42 per cent drop in findings of concern within councils’ technology systems – declining from 584 to 336 findings between the 2019 and 2020 audit periods.

Identified high-risk issues also dropped by more than half between the two audit periods – from 32 concerns flagged to just 14 in the latest report.

The vast majority of IT-related concerns (268 for the 2020 report, representing 80 per cent of IT-related findings) were rated by the auditor as ‘moderate’.

The auditor recognised that several councils had taken remedial steps to tackle high-risk concerns flagged in the previous year’s audit, noting it had reclassified six findings as moderate risk.

However, overall, it found IT policies and procedures were left wanting in at least half of all local governments across the state, recognised as either “outdated or not in place” within 64 councils.

“Sixty-four councils did not formalise and/or regularly reviewed their key IT policies and procedures,” the report noted.

“It is important for key IT policies to be formalised and regularly reviewed to ensure emerging risks are considered and policies are reflective of changes to the IT environment.”

Lack of formal IT policies and procedures may result in inconsistent and inappropriate practices and an increased likelihood of inappropriate access to key systems.”

The report stressed that IT security controls “underpin the integrity of financial reporting” for councils.

“Councils rely on IT to deliver services and manage information. While IT delivers considerable benefits, it also presents risks that councils need to address. IT general controls relate to the procedures and activities designed to ensure confidentiality and integrity of systems and data.”

Covid response

The audit acknowledged that councils experienced considerable challenges adapting IT infrastructure and security controls to work from home arrangements introduced during the Covid shutdowns.

Of the councils permitting the use of personal devices for work, the auditor found nearly one in five had failed to assess the security of these devices.

Furthermore, nearly one in three did not provide cybersecurity training or increased awareness of cyber risks during the pandemic period.

Sufficient remote connection licenses were lacking in up to one in every three councils.

Unforeseen costs were also borne by councils due to pandemic restrictions, with 15 per cent of councils recruiting additional IT staff “due to heavier workloads associated with supporting staff working from home”.

Councils reported around $7 million in unscheduled IT expenses incurred as a result of the shift to work from home, which included the additional purchases of laptops, remote connection licenses, video conferencing software and tools, and additional internet quota.

Though no specifics were given, local governments also reported issues with the timeliness of service delivery provided by third-party IT vendors during the height of the pandemic, including internet service providers and IT hardware providers.

Sixty-five per cent of councils updated business continuity plans and 42 per cent updated disaster recovery plans as a response to the recent emergency events.

The Office of Local Government within the Department of Planning, Industry and Environment (OLG), in partnership with Cybersecurity NSW, is currently part way through the development of a draft cybersecurity policy that will support “a consistent response to cybersecurity risks across councils”.

The draft policy is expected to be complete and shared with NSW councils by 30 June 2021.

In total, the audit identified 53 high-risk matters across the state’s local government sector, the vast majority of which concerned financial and asset management matters.

One hundred and fifty councils and joint organisations within the local government sector were assessed as part of the audit.

The NSW Government recognises a total of 128 local governments areas in the state, with 13 joint organisations and 9 county councils.