Vulnerabilities, poor security practice rife in local govt systems, WA Auditor reveals

WA OAIC Security

A sysadmin password on a local government system remained unchanged for nearly 20 years, WA’s Auditor General has revealed, with the OAG also finding a number of councils had failed to act on recommendations made in its previous general computer controls audit.

Among the 50 local government entities assessed in its most recent audit, Western Australia’s Office of the Auditor General (OAG) unearthed a laundry list of IT system vulnerabilities and cyber hygiene failures, identifying 328 separate control weaknesses.

Among these, 72 per cent were deemed of ‘moderate’ concern, while, alarmingly, at least one in 10 were rated ‘significant’.

The OAG stressed that while a majority were rated as moderate, “a combination of these issues can leave entities with more serious exposure to risk”.

Nearly four out of five of the 50 assessed entities fell below the auditor’s minimum benchmark for security controls.

In-depth capability maturity assessments (self-assessed against the OAG’s own capability maturity model) were also conducted on 11 local government entities, which benchmarked IT control maturity and capability.

Not one of the 11 local government entity met the OAG’s “expectations” across its six security control categories, with the auditor finding they lacked “adequate controls to effectively manage information security, change management, IT operations, physical security and business continuity”. 

Most damning, however, was the auditor’s information security assessment, with all 11 entities failing to meet its minimum security benchmark – “a significant area of concern”, Auditor General Caroline Spencer said.

The auditor uses a 0 to 5 rating scale to evaluate each entity’s capability maturity level across each of the OAG’s general computer controls (GCC) categories, a measure of the support of confidentiality, integrity, and availability of their information systems and financial reporting. 

“The methodology we have developed for our GCC audits is based on accepted industry good practice,” the auditor said.

A ranking of 0 would indicate non-existent management processes, while a top ranking of 5, ‘Optimised’, recognised good security practices that are well followed and automated. 

Not one of the 11 assessed entities received a score above 2 (the OAG’s minimum benchmark) for its information security capability. 

“Many entities either lacked or had inadequate information security policies to inform staff of their responsibilities to protect entity information, which also includes the personal information of ratepayers,” the report said. 

“Staff and contractors were often not given sufficient training to understand the potential risks and threats to entity information.”

The auditor cited a recent phishing attack on a local government entity as a prime example of poor information security practice – an attack that not only resulted in fraudulent transactions on a user’s corporate credit card but the loss of upwards of 10 gigabytes of sensitive emails. 

Effective controls, including a security awareness program for staff, could likely have prevented this significant loss of sensitive and confidential information, the OAG said.

“Without ongoing information security awareness training there is an increased risk that individuals will not understand the risks to the entity and their responsibilities to protect information. This may result in inappropriate actions which could compromise the confidentiality, integrity and availability of information.”

Another entity was found to have failed to segregate its internet-facing systems from its internal network, meaning “public facing and internal systems sat in the same network”. Effectively, this would give human cyber-attackers or malware “full access to the network once the perimeter is breached”.

Among the 11 entities to undergo an in-depth assessment, five were included from the previous year’s audit; however, it appears not one had adequately acted on the audit’s recommendations.

While these entities had an opportunity to improve their capability “by promptly addressing the previous year’s audit findings”, the OAG said, overall, they “did not discernibly do so”.

Auditor General Caroline Spencer noted that information systems underpin most aspects of operations and services for WA’s local governments, “holding information about the public and community that is confidential and needs to be protected”.

She urged audited entities to “act promptly to resolve” the identified security control vulnerabilities, which “could significantly compromise the confidentiality, integrity and availability of information systems”.

“It is important that entities implement appropriate controls to maintain reliable, secure and resilient information systems.”

The OAG noted that no assessed entity was identified in the report, “so as not to expose their systems to additional risks”.

WA has 138 Local Government Areas spread across the state, with 38 in and around the Perth metro area.