NSW local councils lacking effective cyber security management

cyber security

Three councils at the centre of an audit completed by the Audit Office of New South Wales were found to lack effective processes to identify and manage cyber security risks.

City of Parramatta Council, Singleton Council and Warrumbungle Shire Council were selected to participate in the audit on behalf of the Metropolitan, Regional and Rural groupings, respectively.

The audit assessed the three councils from 1 July 2021 to 31 October 2023 on how they effectively identified and planned for cyber threats, whether they had controls in place to prevent or manage identified cyber risks and whether they had processes in place to “detect, respond to and recover from” cyber incidents.

The audit found that while two of the three councils consider cyber security as a strategic risk, there remained a gap in all three councils’ risk management processes, value of information and systems, and assignment of responsibility for cyber risks to core systems.

The audit also said staff at all three councils lacked a regular cyber security training program, to ensure they remain up to date with the changing threat landscape. They also rely heavily on third party tools to monitor for cyber threats, have no cyber incident response plan to ensure a resilient recovery, and do not utilise a register to record information about potential cyber risks or incidents.

The audit recommended councils should:

  • “integrate assessment and monitoring of cyber security risks into corporate governance processes
  • self-assess their performance against Cyber Security NSW’s guidelines for local government
  • develop and implement a risk-based cyber security improvement plan and program of activities
  • develop, implement and test a cyber incident response plan.

“Cyber Security NSW and the Office of Local Government should regularly consult on cyber security risks facing local government, and review the effectiveness of guidelines and related resources for the sector.”