IT policies and procedures were outdated or not in place at 43 councils
Audit Office of New South Wales Report: Local Government 2022
Read more reports from Audit Office of New South Wales and other Audit Reports. All reports for Local Government in Australia
Poor management of cyber security can expose councils to a broad range of risks, including financial loss, reputational damage and breaches of data involving the unauthorised release of sensitive data and personally identifiable information.
The NSW Cyber Security Policy states that the term cyber security covers all measures used to protect systems and information processed, stored or communicated on these systems from compromise of confidentiality, integrity and availability.
A lack of cyber security maturity continues to be a sector-wide common audit finding among councils.
Cyber security findings were reported in 63 councils (2020–21: 65 councils) as they did not have at least one of the following basic governance and internal controls to manage cyber security such as having a:
- cyber security framework, policy and procedure
- register of cyber incidents
- simulated cyber attack testing (penetration testing)
- cyber security training and awareness program.
Forty-seven per cent of councils do not have a formal cyber security strategy/plan in place.
Our data collection from 30 June 2022 council audits identified that only 53% of councils have created a formal cyber security strategy/plan.
In response to previous audit recommendations, OLG released Cyber Security Guidelines for NSW local government on 19 December 2022. The guidelines:
- allow councils to assess their cyber security maturity and their maturity uplift
- outline cyber security standards and controls recommended by Cyber Security NSW for NSW local governments
- can be adopted by councils or used to form the basis of an internally developed cyber security policy
- are strongly recommended to councils for adherence but is voluntary with no requirement to report maturity scores to Cyber Security NSW.
Sixty-nine councils (47% of councils) do not have a formal cyber security plan. These councils need to prioritise creation of a cyber security plan, based on the OLG’s Cyber Security Guidelines for NSW Local Government, in order to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded. All councils should update their cyber security plans based on the guidelines.
The risks associated with poor cyber security maturity are compounded by information technology control weaknesses and poor information systems security hygiene.
Recommendation to councils
All councils need to prioritise and create a cyber security plan in order to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded.Councils should refer to the ‘Cyber Security Guidelines for NSW Local Government’ released by the OLG.
Related
