Summary Report | December 2021

CYBER INTELLIGENCE INSIGHTS

Australian Local Government

TLP: WHITE

The CyberCX Cyber Intelligence Insights series presents focused, contextualised information intended to be read by senior decision makers. Prepared by CyberCX’s Cyber Intelligence team, these reports present recent trends that will inform organisations’ cyber security posture and risk assessments.

This is a TLP:WHITE summary of the full report.

For access to the full report please complete the web form on our website.

KEY INSIGHTS

All local government organisations face a real chance of suffering financial loss, business disruption, loss of data or reputational damage associated with cyber incidents in 2022.
Many local government organisations are not yet effectively managing cyber risk.
- This makes them vulnerable to insider risk as well as to cyber criminals and nation-state actors, which CyberCX has observed actively targeting the sector.
- Local governments are investing more in cyber resilience, but this is unlikely to materially improve their risk profile in 2022 since the threat environment continues to deteriorate.
All local government organisations face a high likelihood of suffering a data breach.
- The most common source of data breaches in the government sector is accidental exposure caused by employees or contractors.
- Foreign governments are actively targeting local governments for intelligence collection and political interference, with some of these actors viewing local governments as ‘weak links’ in Australia’s national security.
Local governments face a high risk from ransomware and other cyber extortion attacks, which have increased exponentially in 2021.
- Government is Australia’s third most frequently impacted sector by cyber extortion.
- We assess that local governments are even more likely to be targeted than state and federal agencies.
Business Email Compromise (BEC) is the most likely form of cyber criminal attack to be faced by local governments and could cause major financial loss.
The likelihood that a cyber incident will affect operational technology (OT) in local government networks is increasing.
- An incident that affects OT could have serious physical consequences, including service disruption, environmental impact or loss of life.
Phishing continues to be the most common method threat actors use to obtain initial network access.
- There is a critical need for local governments to roll out cyber security awareness and training programs for employees.

SPOTLIGHT ON: Significant security gaps in local government networks

Many local government organisations are not effectively managing cyber security, which makes them vulnerable to a broad range of cyber security threats.

In 2021, Auditor-General reports on Australian local government organisations found significant shortcomings in how they approach cyber security. Many local governments operate critical infrastructure assets, like sewage and water, while all provide essential services to their communities. Cyber gaps create opportunities for cyber intrusion that can result in data theft, but also disruption to physical systems.

The following have been identified as significant governance, capability and funding gaps common to most Australian local governments:

1. Governance: Many lack basic internal controls, risk management frameworks and
cyber risk policies.

2. Executive buy-in: Executives do not yet fully understand the cyber risk and consequently do not see the benefit of cyber security investment. It often takes a real cyber security incident to drive policy change.

3. Business continuity planning: Business continuity plans and disaster recovery plans do not reflect the current, rapidly changing threat environment.

4. Resourcing: Regional, rural and remote councils are especially budget constrained, with many across Australia struggling with financial sustainability. As local governments tend to operate on an annual budget basis, there is limited flex to respond to the evolving threat environment.

5. Staff capability: Poor staff awareness of cyber threats, limited security training and difficulty attracting and retaining cyber security talent due to both limited budgets and Australia’s constrained cyber workforce are key challenges for local governments.

6. Operational Technology (OT) management: Relatedly, security teams have traditionally been focused on IT networks, leaving gaps in managing the risks associated with internet connected OT networks. Separately, many OT network engineers do not understand principles of cyber security.

7. Intelligence-sharing: Lack of collaboration across local governments increases the cyber risk, particularly for smaller councils that cannot afford their own security teams.