The recent Auditor General report highlighted areas that are often not addressed in many audited, local government (LG) entities policies or procedures. Only 3 LG entities had adequate cyber security policies to govern and manage cyber security. Nine LG entities had policies that were out of date or did not cover important areas. The remaining 3 LG entities did not have a policy or framework. Without policies that clearly outline the principles and expectations of systems and employees, entities are at higher risk of compromise by cyber threats. This may result in financial loss, reputational damage, or disruption to the delivery of important services to their communities.
Identified in the report are critical areas that were not defined in most of the audited LG entities’ policies or procedures, including:
- Cyber security responsibilities to manage cyber security risks had not been clearly assigned
- End-point security requirements to secure devices were not established (for example anti-malware controls, hardening, and encryption)
- Access management requirements and responsibilities to request, grant, review, and revoke access to key systems had not been defined
- Authentication requirements to access systems had not been established or minimum requirements had not been enforced (for example password composition and multifactor authentication)
- Application controls to ensure that only allowed applications can run on devices had not been established
- Information and system backups to regularly backup systems and information had not been defined
- System monitoring to detect and respond to malicious behaviour and system events had not been established.
- Most LG entities did not manage all their cyber risks
Only 2 LG entities had identified all their cyber risks, and 3 had not identified any. Ten LG entities had considered some, but not all, of their cyber risks. If LG entities are not aware of their cyber risks, they cannot mitigate them. This exposes them to a higher risk of compromise which may adversely impact their business plans and objectives.
Risks that LG entities did not consider include:
- malware and ransomware
- data breaches
- unauthorised access to systems or networks (external hack)
- theft of IT devices
- third-party supply chain / cloud risks
Managed IT is a trusted ICT Partner accredited for both WA State Government and WALGA Preferred Supplier Panels. We apply industry knowledge and a consultative approach to address individual challenges at state and local levels. Whether you require support, software or senior leadership, the managed IT team can help.
Click here to find out more on how Managed IT can help your company to implement cyber security principles and frameworks.