Two-thirds of Queensland’s 77 councils have weaknesses in the security of their information systems.
A review [pdf] of the sectors’ sustainability, risk management and controls found 113 deficiencies in councils’ security systems, including 47 unresolved deficiencies identified in previous audits and 66 newly-identified deficiencies.
“Forty-five (45) councils have at least one deficiency in their information technology systems,” the Queensland Auditor-General’s 2023 report of Queensland local government entities stated.
“Fourteen (14) councils have one or more significant deficiencies in their information systems that have not been resolved for over a year.”
System users having more access than they needed accounted for the bulk of the deficiencies.
The others were “not having strong controls for passwords to access systems” (4); “not having good processes to manage changes to systems” (10); “not having complete, up-to-date policies and procedures” (10); “having gaps in their cyber and system security controls” (11) and “other deficiencies” (22).
The report also found a quarter of councils had not provided cyber security training to their staff.
The Auditor-General recommended they “conduct mandatory cyber security-awareness training” back in 2019-20.
“There are 17 councils that have still not developed and implemented mandatory cyber security training for their staff as we recommended three years ago. These councils, combined, have 30 deficiencies in their information systems.”
The Auditor-General said that it would be publishing a report in the near future with a more in-depth analysis of vulnerabilities in the sector and recommendations to improve cyber resilience.
“We are finalising a performance audit on insights and lessons learnt on entities’ preparedness to respond to and recover from cyber attacks,” it stated.
“We encourage councils and the department to review this report when it is tabled and implement any recommendations relevant to them.”
The report warned that “when significant deficiencies remain unresolved for a long time, they may result in…increased exposure to cyber-related risks, including loss of personal information or disruptions to services” and “reputational damage to council.”
The Issac Region Council was hit by a ransomware attack in April last year. Other Queensland councils have potentially had undisclosed cyber incidents; the state’s mandatory data breach notification scheme – legislated in November – won’t affect local governments until mid-2026.
“As cyber security threats increase in number and sophistication, councils must promptly address any weaknesses in their information systems,” the Auditor-General said.
“Councils need to make sure their staff remain vigilant to detect and mitigate threats, prevent human errors, and adapt to evolving cyber risks.”