The following have been identified as significant governance, capability and funding gaps common to most Australian local governments:
1. Governance: Many lack basic internal controls, risk management frameworks and
cyber risk policies.
2. Executive buy-in: Executives do not yet fully understand the cyber risk and consequently do not see the benefit of cyber security investment. It often takes a real cyber security incident to drive policy change.
3. Business continuity planning: Business continuity plans and disaster recovery plans do not reflect the current, rapidly changing threat environment.
4. Resourcing: Regional, rural and remote councils are especially budget constrained, with many across Australia struggling with financial sustainability. As local governments tend to operate on an annual budget basis, there is limited flex to respond to the evolving threat environment.
5. Staff capability: Poor staff awareness of cyber threats, limited security training and difficulty attracting and retaining cyber security talent due to both limited budgets and Australia’s constrained cyber workforce are key challenges for local governments.
6. Operational Technology (OT) management: Relatedly, security teams have traditionally been focused on IT networks, leaving gaps in managing the risks associated with internet connected OT networks. Separately, many OT network engineers do not understand principles of cyber security.
7. Intelligence-sharing: Lack of collaboration across local governments increases the cyber risk, particularly for smaller councils that cannot afford their own security teams.