Addressing Cybersecurity Gaps: Urgent Measures Required for Australian Organisations and Governments

A new report sheds light on the reasons behind the increasing breaches faced by Australian organisations and governments, following major attacks on telecommunications, health, and financial services. The NSW Auditor General Financial Audit Local Government 2022 report reveals that a concerning 47 percent of all NSW councils lacked basic governance and internal controls to effectively manage cybersecurity.The report highlights several key deficiencies within these councils, including the absence of cybersecurity frameworks, policies, and procedures; registers of cyber incidents; simulated cyber attack testing (penetration testing); and cybersecurity training and awareness programs. This significant lack of fundamental cybersecurity measures leaves these entities vulnerable to cyber threats.Adding to the urgency of the situation, a recent PwC report confirms that Australia remains an attractive target in 2022, with espionage, ransomware, and attacks on critical infrastructure posing substantial threats to organisations and institutions. The motivations of threat actors remain consistent: seeking information, money, and disruption.One of the main challenges identified is the absence of cybersecurity guidelines for councils to follow until the Cyber Security Guidelines for NSW Local Government were published in December 2022 by the Office of Local Government (OLG). Alarming enough, compliance with these guidelines is not mandatory; it is only “strongly recommended,” without any obligation to report maturity scores to the OLG or to Cyber Security NSW.The impact of these guidelines, released after the 2021-22 financial audit period, remains to be seen. However, concerns persist that the optional nature of the guidelines puts councils at risk. The report states that without mandatory compliance, there is an increased likelihood that councils may not develop adequate cybersecurity plans, hindering the implementation of crucial cybersecurity controls.Additional concerns arise from the lack of timeframes for councils to create a cybersecurity plan and the absence of reporting requirements to the OLG. These factors further raise the risk of delays in implementing necessary cybersecurity controls, potentially leaving councils exposed to cyber threats.Key points of concern include 69 councils lacking a formal cybersecurity policy and failing to communicate cyber risks to governance authorities, reflecting a 1 percent increase compared to the previous reporting period. Another report from the Audit Office concluded that Cyber Security NSW lacks formal authority to enforce cybersecurity requirements on local councils.However, some positive developments have been observed among NSW councils. Prior to the release of OLG guidelines, certain councils had begun developing their cybersecurity plans by adopting guidance from Cyber Security NSW, the Australian Cyber Security Centre (ACSC), the International Organization for Standardisation (ISO standards), the US National Institute of Standards and Technology (NIST), and the Payment Card Industry Data Security Standard (PCI DSS).Significant improvements have been noted, with 34 percent of councils yet to conduct cybersecurity training and awareness—a notable improvement from the previous year’s figure of 51 percent. Additionally, fewer councils lack a register of incidents, with only 30 percent falling into this category, down from 40 percent. There is also an increase in councils recognizing cybersecurity as a risk and establishing formal roles and responsibilities in this domain.The report emphasizes the need for councils to prioritize and create comprehensive cybersecurity plans to effectively manage cybersecurity risks to critical data and IT assets. It strongly recommends that councils refer to the Cyber Security Guidelines for NSW Local Government released by the OLG as a valuable resource.In a separate report by the Audit Office in May, it was revealed that two Australian universities reported financial losses due to cyber incidents. While most universities have continuously assessed their cybersecurity controls, a concerning 31 percent of entities relying on third-party service providers did not require these providers to notify them of cyber incidents.