Local councils might be viewed by many as the small fish in the big government pond.
However, there's no denying that they play a crucial role in our daily lives.
From rubbish collections to maintenance of public reserves and maternal health programs, there are so many vital assets and programs managed by local councils, which makes the findings from a recent audit of the New South Wales local government sector all the scarier.
The audit found that out of 110 councils, 64 had missing or obsolete policies and processes, as well as inadequate or erroneous fixed asset registrations.
Fifty-eight of the Councils audited lacked sufficient cybersecurity procedures, while 63 were evaluated as 'could do better in asset assessment and management.
The audit also discovered flaws in fraud control at 41 councils, including 30 that either did not have a fraud and corruption prevention strategy or had one that was out of date.
Other prevalent flaws included failing to conduct fraud risk assessments, not asking workers to attest to the Code of Conduct, and failing to provide fraud awareness training.
The unfortunate reality is that for many Councils, cybersecurity is a key concern but often a poorly resourced aspect of Council management.
And with Council managing so many essential and vital functions in our society, the cybersecurity risk needs to be taken seriously and managed properly to stop hackers from accessing sensitive information or disrupting important services.
So, what are the biggest issues and risks facing Council, and how can they be addressed?
Let's dive in. Posture Counts: Poor Cyber Security Governance In Local Government
The cybersecurity posture of a company is the aggregate security state of all software, hardware, services, networks, information, suppliers, and service providers.
Information security (InfoSec), data security, network security, penetration testing, security awareness training to prevent social engineering attacks, vendor risk management, vulnerability management, data breach prevention, and other security measures all form crucial parts of any organisations security posture, and these are particularly important for local Councils.
In essence, these are the very basics when it comes to cybersecurity.
Increasingly, local Councils are using the internet with increasing frequency to conduct regional community surveys and handle a wide range of citizen requests and orders.
This means that now, more than ever, Councils are processing and storing massive amounts of sensitive and personal data from their ratepayers.
That means Council's must get these critical components of cybersecurity right.
With over 50 per cent of New South Wales Councils being shown to have had missing or obsolete policies and processes when it comes to cybersecurity, this is an area where Councils must do better.
In March 2020, another audit that analysed 138 local councils from New South Wales found that 80 per cent don't have a cybersecurity framework. Open to and unprepared for attacks
With poor cybersecurity poster, local Councils are much more likely to be vulnerable to cyber-attacks.
Furthermore, without adequate risk management policies, plans and procedures, they are most likely not going to be able to respond quickly enough to limit the damage caused by a cyber incident.
The truth is that there is no such thing as 100% coverage against cybercrime.
Even with the greatest possible preparation, the best policies and procedures and the most trained staff, there is always a chance that a cyberattack is possible.
Because of that, knowing how to respond to one is vital.
When a cyber-attack happens, it is critical to have a strategy in place to minimise the effects of the occurrence.
Response time to cyber-attacks is also essential; for example, a worldwide legal company lost its complete database of over 120,000 machines less than five minutes after a cyber-attack commenced.
This is why local governments must handle all areas of cyber risk and create a risk management strategy to ensure peace of mind.
Staff education and training, third-party supplier evaluations, incident response planning, examination of IT security and controls, identification of essential infrastructure, and information security policies and procedures should all be part of a robust framework.
Major Cyber Risks for Councils
Whilst Councils should be prepared for a wide range of cyber attacks, the significant risks they should be prepared for include:
Phishing Attacks
Phishing is a type of cyber assault that uses a disguised email as a weapon. The idea is to dupe the email recipient into thinking the message is something they want or need — a request from their bank, for example, or a letter from someone in their work — and convincing them to click a link or download an attachment.
Councils need to be very careful of phishing attacks that use Council branding and messaging to make an unwary person think that their Council is reaching out to them or asking them to click a link or download a file.
Ransomware
Ransomware is a type of virus that encrypts the files of a victim. The attacker then demands a ransom from the victim in exchange for restoring access to the data.
Users are shown how to pay a charge to obtain the decryption key. The charges can range from a few hundred dollars to thousands of dollars and are paid in Bitcoin or some other digital currency to hackers.
Due to the sensitivity of data that Councils manage, they are particularly prone to these attacks.
In 2020, a council in Adelaide's south was targeted with ransomware, resulting in the deactivation of a number of its systems. As a result, they lost faith in the local community and suffered substantial harm to their reputation.
Third-Party Suppliers
A supply chain attack, also known as a value chain or third-party attack, happens when an outside partner or supplier with access to your systems and data infiltrates your system. This has substantially altered the average enterprise's attack surface in recent years, with more suppliers and service providers handling critical data than ever before.
The dangers of a supply chain attack for Councils have never been greater, thanks to new forms of attacks, more public knowledge of the vulnerabilities, and more regulatory control. Meanwhile, attackers have more resources and tools than ever before, resulting in a perfect storm.
While these are three major risks, it is important that Councils manage cyber risks across a wide variety of fronts to ensure their data and that of their ratepayers remain safe.
Major Cyber Risks For Residents
The major cyber risks for residents come from the type of data that Councils now collect and store.
As Councils digitise more and more of their interactions with ratepayers, including elements such as processing payments for rates and fines and collecting personal information as part of surveys, the amount of Personally Identifiable Information (PII) Councils collect and store is rising at an exponential rate.
This not only puts a big target on Council's back, but also means that the risks for residents are very real.
Once a hacker has a resident's personal information they can monetise it by:
Using the data themselves to:
purchase items online
apply for loans
access bank accounts
Selling their login credentials
Selling their PII
Selling their credit card details
Residents whose data is obtained by a cyber attack on a local Council could also be subject to identity fraud.
Managing Cyber Risk for Councils
At CyberWorqs, we are passionate about helping organisations better manage their cyber risk.
Our philosophy is simple. There is no 'one size fits all' solution when it comes to cyber security.
However, there are some general principles and practices that all Councils will benefit from and the CyberWorqs team is here to help explain them to you.
Call us today! 1300 984 340