Councils lack resources to manage cyber threats

Cyber threats are the second biggest risk facing local government but councils don’t have the resources to tackle them, according to the group representing professionals in the sector.

Clare Sullivan

Local Government Professionals Australia has made a submission to the federal government’s 2020 Cyber Security Strategy identifying ways it can support local government.

A report surveying local government CEOs and general managers, JLT Public Sector Risk Report 2019, by risk consultancy JLT in conjunction with LGPA, found that cybersecurity is the second biggest risk for local government following financial sustainability.

LGPA CEO Clare Sullivan said it was important to deal with issues surrounding cybersecurity because of the rapidly changing environment of cyber space, but most of the councils that LGPA spoke to said their budgets were under significant pressures from external and internal sources.

“Most of the IT departments are explaining that they’re dealing with a lot of old and legacy systems and that the cost to upskill their staff and upgrade their systems to ensure adequate cyber preparedness and security is beyond the capacity of the current budget,” she said.

Ms Sullivan says the submission calls for more national leadership to help local government bolster cyber security.

“It’s hard for any sector or industry to have a complete handle on, which is why we’ve suggested to the federal government the importance of their national leadership in this space,” she told Government News.

Standards and compliance certification

LGPA outlines five key recommendations for the federal government to act on. First on the list is the call to develop a set of standards and compliance certifications.

“If there were standards, it would mean that we could work to a degree of efficiency across the sector, and if the federal government saw it as a priority they might be willing to support councils to meet those standards,” Ms Sullivan said.

Local government owns a range of IT systems that it sources from third party providers. Currently, the federal government has a national standard that it follows, and Ms Sullivan believes this could be developed to apply to local government.

“If we could be told that that applies to local government then it would give us peace of mind that we were asking for the right standards and specs when we’re dealing with third party providers,” she said.

“We thought a neat thing might be just to review that and see which of those bits we could apply to local government and would be relevant, rather than having to do a whole scale review and start again from scratch.”

Cybersecurity becoming a cultural problem

Second on the list is the recommendation to increase government-provided incentives and training in the recruitment of IT workers who specialise in cybersecurity.

“Cybersecurity is moving more to being considered a cultural problem, and certainly within councils we can recognise that it’s as much about staff training and about awareness within the workforce, as it is about having the right IT systems,” Ms Sullivan said.

Third and fourth on the list are recommendations to provide resources and training to staff and make it easier to find relevant information on the Australian Government’s Australian Cyber Security Centre resource site.

The fifth recommendation is a call for the federal government to assist in the identification and classification of critical infrastructure.

“When we talk in local government space, we can see that regional airports, sports, key roads and key data sets would be potential secondary critical infrastructure pieces, meaning that if they were wiped out by a cyber-attack, it would cause a significant impact on the community,” Ms Sullivan said.

“(We are) asking for some commonwealth federal government assistance in identifying potential areas of critical infrastructure and classifying them, so we as a nation can deal with threats or attacks to critical infrastructure in a more whole way.”

Five key recommendations

  1. developing a minimum set of standards and compliance certifications or expanding the application of existing Commonwealth standards to local government
  2. increasing Australian Government-provided incentives and training in the recruitment of skilled IT workers in the cybersecurity field, particularly in encouraging work in regional and remote areas
  3. providing resources and training assistance to improve or deliver cyber awareness training for the broader local government workforce
  4. improving the ability to find the relevant material through filters or industry specific pathways to improve the functionality and uptake of the Australian Government’s Australian Cyber Security Centre resource site
  5. assisting in the identification and classing of critical infrastructure and then developing appropriate management plans to increase the understanding of risk and thus the security of this infrastructure.

The federal government is currently calling for views on its successor to the 2016 Cyber Security Strategy which aims to respond to the evolving cyber threat environment.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required