Recent cyber-hacks targeting government agencies, including one in April against the Isaac Regional Council in Central Queensland and the ACT Government in June, should give those in charge of Australia’s 537 local government areas (LGAs), pause for thought, writes Ches Rafferty.

In the ACT’s case their email gateway system, which it uses to support some of its ICT system, was breached by hackers, making data protected by software accessible.  The attack on the ACT Government prompted speculation that it was part of a wider China based hacking operation that targeted public and private sector organisations, with almost a third being government agencies.

The attack against the Isaac Regional council was a ransomware attack, which is when a hacker encrypts and locks system files, then demands a payment to decrypt and unlock them. Still at this stage, it’s uncertain what data was accessed or whether data was uploaded from the council’s system.  

Local government an attractive target

Up until recently, LGAs were thought by some in the cybersecurity industry to be one of the sectors least likely to be targeted by cyberhackers. But the high-profile attack on Melbourne’s Stonnington council in 2021, raised alert levels. And in 2022, the Australian Cyber Security Centre warned that local governments would be an attractive target for bad actors because many have responsibility for essential services such as water and sewage.

But it’s clear that many LGAs still aren’t taking cybersecurity as seriously as they might.

The latest NSW Auditor General Financial Audit Local Government 2022 report found that 47 per cent of all NSW councils lacked at least one of the basic governance and internal controls to manage cyber security.

Last year, WA’s Auditor General also reported that after conducting assessments at 12 LGAs, none met expectations across six broad cybersecurity criteria and none met the benchmark for information security.

Local government, like many organisations deals with personal information daily. They hold data on business and development proposals, ratepayer and local household information, payment details and in some cases, driver’s license data.

Given the sensitivity of information gathered and retained, LGAs are subject to their respective state’s Privacy Legislation which broadly states that LGAs must take reasonable steps to protect personal information it collects and holds from unauthorised access or disclosure.  The investment required to develop and maintaining secure IT systems puts smaller councils at a disadvantage, as the costs involved in can be prohibitive.

Many local councils manage and maintain roads and bridges, collect waste and are responsible for water and sewage management. Any disruption to these services and infrastructure has the potential to cause widespread disruption and economic loss.

Taking steps to avoid a cyber attack

So, what can LGAs do to ensure they’re not at risk from a cyber-attack?

First, they must have a cybersecurity audit carried out on IT systems. An audit will analyse and review IT infrastructure, cyber security polices and identify any weaknesses, vulnerabilities, and high-risk practices within the organisation.   

Next, after the results of the audit are known, action should be taken to address the recommendations and importantly, there must be sufficient funds and resources allocated to invest in the appropriate systems and staff to protect the most sensitive data held and most critical infrastructure or services.

Once the appropriate IT systems and policies in place, it’s vital these are updated and reviewed regularly. It’s also important that LGAs develop a workplace culture where cybersecurity is made a priority and employees, existing and new, are properly inducted and trained to know their responsibilities regarding cybersecurity.

Home Affairs and Cyber Security Minister Clare O’Neil has a plan to make Australia the most cybersecure country in the world by 2030, which will see us “bring the whole nation into the fight to protect our citizens and economy”.

The whole of nation or whole of society approach to cyber security is one that has worked elsewhere in the world with remarkable success and given the geographical reach and the role local government plays in our daily lives, Australia’s 537 LGAs will play an important role in achieving the Minister’s goal.

*Ches Rafferty is the CEO of Scantek 

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter