Local governments are increasingly vulnerable to data breaches, delegates were told at a cyber summit last week.
“The problem in Australia is pretty sizeable,” said Dominika Zerbe – a cybersecurity expert at consultancy firm KPMG. And cyberattacks on councils are on the rise. “We know that in Australia it is a growing area for threat actors to target councils so we are seeing a lot more activity in that space.”
“Not just in volume but also in complexity and sophistication,” Zerbe added.
Almost 80 per cent of data breaches across the local government sector occur because of human error. These human-led incidents cost local governments dearly. “The financial impact for local councils is somewhere between $1 million to $2 million a year,” said Zerbe.
Zerbe and colleague Liz Watts were presenting at the Tech Leadership Summit in Sydney. Hosted by the Australian Local Government Association, the event attracted 100-or so delegates from across Australia including mayors, shire presidents, and councillors.
“You are custodians of really significant and sensitive data,” delegates were told. “That data relates to very personal information about your residents, about their services, where they live.”
That data “is highly lucrative online on the dark web and the more data an organisation holds, the larger the attack surface,” said Zerbe.
While outdated IT systems expose councils to attacks, “so too do new technologies”, said Zerbe. “As you are transforming and digitising and as that footprint of digital services grows, so too must your cybersecurity program. Otherwise, you’re building in vulnerabilities.”
Despite the risks, there isn’t much coordination or clarity about what councils must do to protect that data, said Watts. “This means there are gaps. It makes councils more vulnerable and it means that vulnerability is variable across the sector.”
There is a need for a consistent national framework, she added. “There needs to be very clear, local government-specific minimum standards – that’s recommendation number one.”
There is also a lack of adequate training and education. Delegates were told that only 50 per cent of councils conduct cybersecurity training. “So there is a question there about how well we are training and embedding the knowledge we need council staff to have,” said Zerbe.
Delegates were advised to tap into known, proven existing approaches, tools and solutions in place across the country. “How can we disseminate and improve access for councils so that they can bring some of those tools, solutions and approaches into their workforce,” asked Watts.
Another problem councils face is difficulty recruiting cybersecurity experts. “Councils are struggling to attract the talent they need. The talent pool is small,” said Zerbe. Councils in regional or rural areas of the country are particularly impacted, she added. “If you want people to be physically present it can be really difficult to attract those people to your LGA.”
And many councils don’t have the funding to recruit staff or invest in protective measures, said Watts. “There is not an endless bucket of money to invest in all the things that need to be invested in. There are many priorities that councils are looking to juggle.”
“Often the risks around cyber are keenly understood within pockets of council but perhaps not fully appreciated and understood at the executive and the elected level,” she added.
That makes it challenging for councils to invest heavily in cybersecurity, said Watts. “That million dollars could go directly to the community. That’s a really difficult trade-off for decision makers.”
When councils do invest in cybersecurity it tends to be reactive, delegates were told. “Something will happen to your organisation or another council that will trigger a response. But that’s not a strategic sustainable approach,” said Watts.
Ultimately, there needs to be a cultural shift, said Zerbe. “Cyber is still seen as an IT issue that sits over there and something that isn’t the rest of the organisation’s responsibility.”
Leave a Reply