Despite a string of reports warning of the need for local government to improve cyber security, the latest performance audit indicates that councils are still exposing themselves to malicious activity by failing to manage risks.

The NSW auditor general looked at how effectively three councils – City of Parramatta, Singleton and Warrumbungle Shire – were managing cyber security risks.  

While the focus was on those three councils, auditor Margaret Crawford said her findings and recommendations were likely to be relevant to most local councils across NSW.

The audit also called out the Office of Local Government Cyber Security NSW for failing to provide sufficient guidance and support for the local government sector.

The report said each of the selected councils took measures to improve their cyber security during the audit period, but the audit still found significant gaps in cyber security risk management and cyber security processes.  

“The three councils are not effectively identifying and managing cyber security risks,” the report says.

“As a result, councils’ information and systems are exposed to significant risks, which could have consequences for their communities and infrastructure.

“Ineffective cyber security risk management can result in unmitigated risks to the security of information and assets which, if compromised, could impact the councils’ local communities, service delivery and public infrastructure.”

Familiar refrain

Only two of the three councils had a plan to improve cyber security, the audit found.

None had up-to-date plans and processes to support response and recovery from cyber incidents, and none were effectively managing cyber security risks related to third parties.

Previous NSW Audit Office reports have highlighted gaps in councils’ cyber security risk management approaches since 2020 and the Local Government 2023 report, tabled in March 2024, found that 50 councils were yet to implement cyber security governance frameworks and related internal controls.

State government agencies must do better

The current report notes that Cyber Security NSW and the OLG recommends that councils adopt requirements contained in the Cyber Security Guidelines for Local Government.

However, they “could do more to monitor whether the Guidelines are enabling better cyber security risk management in the sector”. 

They should also regularly consult on cyber security risks facing local government, and review the effectiveness of guidelines and related resources for the sector. 

The report follows recent incidents affecting local government including:

• A ransomware attack on NSW council in April 2022 which impacted council records, employee financial data, and water quality monitoring systems

• In April 2023 a commercial law firm that provides advice to local governments was the victim of a data breach which saw sensitive information published on the dark web

• A company that provides enterprise technology services to local councils and other entities was subject to illegal access to its Microsoft 365 back-office system by an unauthorised third party in May 2023

• A NSW council reported in August 2023 that their social media account had been hacked, resulting in the account being compromised and taken offline

“The threat from cyber security incidents continues to rise,” the report says.

“Such incidents can harm local government service delivery and may include the theft of information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent.

“While this report focuses on the performance of the selected councils, the findings and recommendations should be considered by all councils to better understand their risks and challenges relevant to managing cyber security risks.”

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter