Non-existent cyber security policies, cyber criminals guessing weak passwords, vulnerabilities left unpatched for ten years and cardboard boxes stored in server rooms.

Local government in WA needs to pull its socks up when it comes to cyber security, the state’s auditor general says.

The Officer of the Auditor General looked at information security across 45 councils in 2020-21 as part of its yearly cycle of audits, finding 358 control weaknesses across the board. Ten per cent of those were considered to be significant.

That compares to 328 weaknesses identified at 50 entities the previous year, Auditor General Caroline Spencer found.

More than half the weaknesses identified in the current report were unresolved from the last audit.

The audit focused on six categories including information security, business continuity, IT risks, IT operations, change control and physical security.

It also found that none of the 12 councils audited for capability maturity met benchmarks across the six categories.

Ms Spencer said local governments in the state were failing to improve their information security, leaving critical services at risk of cyber attacks.

‘These weaknesses represent a considerable risk to the confidentiality, integrity and availability of local government’s information systems and need prompt resolution,’ Ms Spencer said.

“Without effective procedures and processes to manage technical vulnerabilities in a timely manner, entities leave their IT systems exposed to malicious attackers. This could result in unauthorised access and system compromise.”

Among the findings of the report , tabled on Tuesday, were:

• One council didn’t have any cyber and information policy
• One council experienced a security breach where a cybercriminal guessed a weak password
• One council shared a highly privileged default domain administrator account with people across different business units
• One council had critical vulnerabilities dating back to 2013
• One council had active network access for eight contractors who no longer worked for it
• One council stored combustible materials including cardboard boxes in its server room

“Local governments need to continuously review and improve their practices to establish robust safeguards and enhance their resilience against cyber threats. Complex networks and systems require smaller entities to also dedicate resources to manage their information and cyber security,” Ms Spencer said.

The councils must now prepare an action plan to address the matters raised in the report and submit it to local government minister John Carey within three months.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter