Recent cyber attacks highlight vulnerability of local government

cyber security defence responsibility

The Australian Cyber Security Centre says councils are an attractive target because some councils have responsibility for essential services such as water and sewage.

Recent cyber-hacks targeting government agencies, including one in April against the Isaac Regional Council in Central Queensland and the ACT Government in June, should give those in charge of Australia’s 537 local government areas (LGAs), pause for thought.

In the ACT’s case their email gateway system, which it uses to support some of its ICT system, was breached by hackers, making data protected by software accessible. The attack on the ACT Government prompted speculation that it was part of a wider China based hacking operation that targeted public and private sector organisations, with almost a third being government agencies.

The attack against the Isaac Regional council was a ransomware attack, which is when a hacker encrypts and locks system files, then demands a payment to decrypt and unlock them. Still at this stage, it’s uncertain what data was accessed or whether data was uploaded from the council’s system.

Local government are attractive targets

LGAs were once considered low-risk in cybersecurity. However, the 2021 Stonnington council attack and the 2022 Australian Cyber Security Centre warning highlighted their vulnerability. Local governments oversee vital services, attracting hackers.

But it’s clear that many LGAs still aren’t taking cybersecurity as seriously as they might.

The latest NSW Auditor General Financial Audit Local Government 2022 report found that 47 per cent of all NSW councils lacked at least one of the basic governance and internal controls to manage cyber security.

Last year, WA’s Auditor General also reported that after conducting assessments at 12 LGAs, none met expectations across six broad cybersecurity criteria and none met the benchmark for information security.

Local government, like many organisations deals with personal information daily. They hold data on business and development proposals, ratepayer and local household information, payment details and in some cases, driver’s license data.

LGAs, governed by state Privacy Legislation, must safeguard sensitive information. Smaller councils face challenges due to high costs associated with developing and maintaining secure IT systems, limiting their capabilities.

Many local councils manage and maintain roads and bridges, collect waste and are responsible for water and sewage management. Any disruption to these services and infrastructure has the potential to cause widespread disruption and economic loss.

Taking steps to avoid a cyber attack

So, what can LGAs do to ensure they’re not at risk from a cyber-attack?

First, they must have a cybersecurity audit carried out on IT systems. An audit will analyse and review IT infrastructure, cyber security polices and identify any weaknesses, vulnerabilities, and high-risk practices within the organisation.   

Following the audit results, promptly implement recommended actions. Allocate ample funds and resources to enhance systems and staff, ensuring robust protection for sensitive data and critical infrastructure.

Implementing and maintaining IT systems and policies is crucial. Regular updates are vital. LGAs should prioritize a cybersecurity culture, ensuring proper induction and training for all employees.

Home Affairs and Cyber Security Minister Clare O’Neil has a plan to make Australia the most cybersecure country in the world by 2030, which will see us “bring the whole nation into the fight to protect our citizens and economy”.

Australia’s 537 local government areas (LGAs) are vital in achieving the Minister’s cybersecurity goal, adopting successful whole-of-nation approaches seen elsewhere, leveraging their geographical reach and societal role.

By Ches Rafferty, Scantek CEO.

First published in Government News, August 7, 2023.

Get in touch