An audit of three South Australian councils has found that all are lacking governance structures to ensure they keep their data safe.
The SA Auditor’s three-part report tested cybersecurity at City of Port Adelaide Enfield, City of Prospect and Port Augusta City Council between December 2019 and March 2020.
All three councils had “some way to go to achieve ICT security standards that appropriately mitigated the risk of various cyber security threats,” Auditor General Andrew Richardson said.
All three needed to increase information security policies and awareness training; mitigate third party service provider risks; and strengthen reporting, password controls and patch management.
The report says SA’s local government sector isn’t subject to mandatory frameworks or standards around cyber security.
Despite this, individual councils should have their own governance structures and system security, as well as disaster recovery measures and incident management, the report says.
Spotlight on three councils
Port Augusta, on the northern tip of the Spencer Gulf, covers over 1150 square kilometres and has a population of almost 14,000.
Council employs 183 staff including four who are on the IT team, which is led by an information systems and records manager who is responsible for managing information security.
Most of its main ICT systems are internally hosted but supported by external contractors. It is developing a plan to upgrade or replace its current ICT infrastructure over several years.
Prospect manages a local area of 7.81 square kilometres north of the centre of Adelaide. It delivers services to more than 21,000 people.
Two of its 90 staff are on the IT team. The customer service manager, who leads the team, is responsible for cybersecurity.
Council’s ICT services including the help desk and local infrastructure support are outsourced and service agreements are in place to support EDRMS, database admin and ERP system. Other systems are supported by software vendors.
Port Adelaide Enfield
Located across Adelaide’s inner north and north-western suburbs, the amalgamated Port of Adelaide LGA has a population of 126,000 and is one of the largest metropolitan councils in the state.
Council has 465 general operations staff of which 16 are on the IT team. The corporate information manager leads the team and is responsible for information security.
Most of its key ICT systems are supported by external vendors and hosted internally. Council has moved to implement some controls over is ERP system.
Cyber threat experience by 60 per cent
In July 2019 the auditor sent questionnaires about ICT and security to all SA local governments.
It found councils used broad range of ICT systems managed internally or external including cloud hosting.
They identified getting ICT projects complete on time, limited IT resources and the need to upgrading legacy systems as their biggest challenges.
Spear phishing malware, ransomeware were top three cyber security threats.
Forty councils (60 per cent of total) said they had experienced a cyber threat or incident in the past two years, and seven had experienced an incident.
Twenty-five were still developing or didn’t have a formal risk register and 13 didn’t have a formal risk treatment plan.
Twenty hadn’t done an independent ICT security assessment in the last two years or had plans to do so.
However, Mr Richardson said many councils were taking a proactive approach to cyber security including doing a voluntary risk mitigation program run by the local government association.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter