Cyber Security NSW has taken aim at the way councils’ security is being assessed, seeing regular maturity and compliance audits as an ineffective way to improve security in the sector.
The agency’s comments came after the release of a regular audit [pdf] of a sample of councils and their cyber security postures and practices.
Councils are not subject to “mandatory cyber security requirements” but are “recommended” to adhere to the NSW Cyber Security Policy “as a foundation of strong cyber security practice.”
The latest audit focused on three NSW councils, finding that they had “unmitigated risks to the security of information and assets”, and that the councils were not “effectively identifying and managing cyber security risks”.
Among a litany of criticisms, the three councils – the City of Parramatta, Singleton Council and Warrumbungle Shire Council – lacked continuity plans, properly assigned responsibilities, or threat detection.
Such criticisms echo previous reports from the auditor, with criticism of council cyber security an annual event.
But Cyber Security NSW – which plays an enabling role in raising cyber security in the local government sector – criticised the regular audits as being unhelpful to the cause, and as potentially diverting limited resources to satisfying the audit.
“To foster holistic cyber resilience, it is critical to move beyond a singular focus on maturity levels and compliance and instead consider the unique risk profile of an entity and appropriate risk mitigation strategies,” Cyber Security NSW said in an addendum letter.
“A rigid understanding of maturity as a linear process does little to support the prioritisation of resources, funding and effort into meaningful and targeted uplift.”
Councils in the latest audit indicated they were already addressing issues raised by the report; the City of Parramatta said the findings “are consistent with the program [it] has adopted to improve its cyber security position”, while the Warrumbungle Shire Council said it had “some processes in place” but not a “documented approach” to improvement.
Cyber Security NSW listed a number of active initiatives focused specifically on improving cyber security in the local government sector.
It offered councils “a vast range of products and services” to help them manage cyber risk; “has engaged all 128 councils in the Domain Based Message Authentication, Reporting and Conformance (DMARC) project” for email authentication; and put “more than half” of all councils through awareness training.
All councils also received intelligence reports and weekly vulnerability scanning reports, and is in the process of onboarding councils to a “vulnerability risk management platform” it has built.
“[We are] in the process of providing training and access to councils,” Cyber Security NSW wrote.
“This is occurring in staggered phases as not all councils have the technical resources to utilise the platform.”