Recently, the Auditor-General of New South Wales stated in a report that the Office of Local Government should develop a cybersecurity policy by 30 June 2021 to ensure a consistent response to cybersecurity risks across councils.
The audit looked at the state’s 138 councils and 13 joint organisations, which share revenue of $15.3 billion, assets of $166 billion and liabilities of $7.3 billion.
It identified 1,947 issues, of which 41 per cent related to IT. Of those, 68 per cent of issues related to access management.
A total of 575 issues relating to IT were identified, compared to 448 in the previous reporting period.
They related to a range of concerns including IT policies, lack of risk management, shared user accounts, weak passwords and poor system implementation.
The report says cybersecurity management requires improvement, with “some basic elements of governance not yet in place for many councils”.
The audit found 71 per cent of councils didn’t have IT policies and procedures and 41 per cent didn’t register risks.
Meanwhile, the audit found only twenty per cent of councils had a formal cybersecurity policy or framework, 84 per cent didn’t budget for cybersecurity and 76 per cent had not given staff cybersecurity training.
It was noted that the government will continue to report deficiencies in information technology controls, particularly around user access management. These controls are key to ensuring IT systems are protected from inappropriate access and misuse.
The report, based on audits to the end of 2019, also says councils could be better prepared for new accounting standards being implemented this year and should bolster asset management practices.
It identified 59 prior period errors with a value of $1.3 million, with 59 per cent of those the result of poor asset management.
However, the report gives councils a pat on the back for reducing errors and improving fraud control.
Fewer errors were identified. More councils have audit, risk and improvement committees and internal audit functions. Risk management practices, including fraud control systems, have also improved.
According to an earlier OpenGov Asia article, improving Australia’s cyber preparedness and resilience is a pressing issue that requires a whole-of-society response, according to the Department of Home Affairs Secretary.
The public sector veteran used a video address to the 2020 Edith Cowan and Home Affairs Cyber Security Forum to call for closer collaboration between government, industry and academia on managing Australia’s cyber risks.
He noted that governments cannot do this on their own. Yes, in days past a lot of security threats were managed in great secrecy and by governments taking the lead, the official stated in a video message.
The government had all the information typically, and the government had most of the response options and tools in their inventory. This is no longer the case, and especially so in cyber. Frankly, everyone is on the front line.
The Secretary has been expected to deliver the keynote address for the Forum, which was convened to explore the key findings of last year’s consultation on the 2020 Cyber Security Strategy but was unable to attend in person because his department is dealing with several issues related to bushfires and biosecurity risks.
Developing a strong cybersecurity strategy will require improving cyber resilience. This will, in turn, require partnerships between governments and industry, between state and federal agencies, and with “society at large”.
One area where such partnerships can play a role is in cyber preparedness. Such a vital area cannot be left to CIOs of organisations or to government agencies to manage alone.