Western Australian councils have again fallen below the state Auditor-General’s minimum benchmark for cybersecurity controls, with not one of the 12 assessed entities passing the AG’s muster.
In-depth capability maturity assessments were conducted on 12 – mostly medium to large – local government entities within WA as part of the state Auditor General’s 2022 Information Systems report, which compared findings across the auditor’s 2020-21 annual cycle of information systems audits.
The AG assessed councils’ maturity across six key security control categories: information security, business continuity, IT risk management, change control, and physical security to protect information assets.
Not one of the 12 entities (which are unnamed in the report to ensure vulnerabilities are not linked to a specific entity) was found to have met the Auditor General’s expected minimum benchmark (a ‘Level 3’ out of six general computer controls, or GCC, levels) across all six categories.
(A Level 2 rating determines that entities lack a consolidated approach to security, still leaving security measures “to the individual”. Errors in this environment remain “highly likely”, according to the auditor.)
Further, not one of the 12 assessed entities was found to have adequate information security controls, with each entity rated below the auditor’s ‘Level 3’ passing grade – a rating consistent with the previous year’s assessment.
Among the most common information security weaknesses identified were insufficient or out-of-date security policies, lack of multi-factor authentication, inadequate network segregation, and no controls to detect or prevent unauthorised devices from connecting to entity internal networks, among others. In one case, the auditor found that critical servers lacked basic anti-malware protection, with another entity found to have left passwords unchanged for more than 17 years.
“Information security remains a significant concern, with all entities below our benchmark and not able to demonstrate adequate controls,” the AG wrote – a situation, the auditor added, that requires “urgent attention”.
“A lack of robust controls can expose entities and impact critical services provided to the public.”
Business continuity ratings also took a hit, with only 17 out of 83 entities meeting the minimum benchmark. This is down on the 18 of 82 local government entities identified last year.
The auditor found entities, most commonly, either lacked appropriate or had outdated business continuity and disaster recovery plans (DRPs), with DRPs also found to be “untested”.
The AG, however, did recognise some improvements in other assessed categories, including IT risk management, IT operations, change control and physical security; however, “most entities still fell below our benchmark,” with the auditor stressing the need for improvement across “all six control categories”.
Forty-five entities were assessed as part of the 2020-21 audit, with a total of 358 control weaknesses identified across the 45 entities. This is up from the 328 weaknesses across 50 entities found in the previous year’s audit.
Of these 45 entities, 12 were marked for an in-depth capability maturity analysis (a process involving a comparison of entity self-assessment with the Auditor General’s own GCC audits).
More than one in 10 (a total of 37) security vulnerabilities were rated as ‘significant’; the vast majority (29) of these were information security weaknesses. At least 71 per cent (254) of weaknesses were rated as ‘moderate’.
“These weaknesses represent a considerable risk to the confidentiality, integrity and availability of entities’ information systems and need prompt resolution,” Auditor General Caroline Spencer said.
Addressing the information security gaps, Spencer urged senior executives from entities to “implement appropriate policies and procedures to ensure the security of information systems and support their entity business objectives”.
“Local governments need to continuously review and improve their practices to establish robust safeguards and enhance their resilience against cyber threats. Complex networks and systems require smaller entities to also dedicate resources to manage their information and cyber security.”