Why is cybersecurity important to local governments, and what trends are you seeing?

Risk Matters - Autumn 2021

Picture of Faizal Janif

Faizal Janif

Head of Cyber Consulting, Marsh Advisory Pacific

Faizal is a senior security executive who sits on the Australian Information Security Association’s (AISA) Executive Advisory Board, on the Australian Cyber Security Centre (ACSC) panel reviewing the Australian Cyber Security Strategy, member of the Joint Cyber Security Centre (JCSC) and has worked closely with Australian Prudential Regulation Authority (APRA), Australian Payments Clearing Association (APCA) and most recently Australian Energy Market Operator (AEMO), Australian Signals Directorate (ASD) and The Department of Home Affairs, In addition Faizal is also the founder of the Cyber 12.

In today’s day and age, cybersecurity is important to us all because it encompasses everything that relates to the protection of our sensitive data.

  • Personally identifiable information (PII)
  • Protected health information (PHI)
  • Personal information
  • Intellectual property (IP)
  • Sensitive business driven data

The risk of a breach is ever increasing in this uncertain climate, we are largely driven by global connectivity and our shift towards a cloud first strategy. With poor cyber strategies and increasingly sophisticated cyber criminals, the risk of a successful cyber-attack or data breach is on the rise.

The days of a simple firewall and antivirus software being your sole security measures are long gone, leaders now have to be more proactive than reactive with their cybersecurity.

The importance of cyber awareness and training to educate your staff about simple social engineering scams like phishing and more sophisticated cybersecurity attacks like ransomware play an integral part in the organisation’s overall cyber defence strategy.

Other sections in this season's Risk Matters

Where we’ve been

Before 2020 hit us with a curve ball, workplace mental health was already a significant issue for WA local governments. COVID-19 and the challenges of 2020 have compounded existing issues and the topics of mental health, stress management, and resilience are more pressing than ever for local government leaders, people, and risk managers.

Read More »

The importance of a robust cyber framework is on the rise. We are now more reliant on technology than ever before and there is no sign of slowing down. As each generation is more and more reliant on technology, the attack surface is therefore increasing at an alarming rate.

Governments around the world are bringing more attention to cybercrimes. The Notifiable Data Breach (NDB) scheme in Australia is a great example. It has increased the reputational damage of data breaches by forcing organizations that are subject to the scheme to:

  • Communicate data breaches to the affected individuals and the Office of the Australian Information Commissioner
  • Require user consent to process information
  • Anonymize data for privacy

Australia is not the only country with these types of measures, while there are no national laws overseeing data breach disclosure in the United States, there are data breach laws in all 50 states, and the General Data Protection Regulation in the EU. Commonalities with the NDB include:

  • The requirement to notify those affected as soon as possible
  • Notify the government as soon as possible
  • Pay some sort of fine

Why is cybercrime increasing?

Information theft is now one of the most lucrative businesses globally. Industrial controls systems (ICS) that manage power grids and other infrastructure can be disrupted or destroyed and are now
quite targeted.

Cybercriminals are becoming more sophisticated, changing what/who they target, how they affect organisations and their methods of attack for different organisations.

Social engineering remains one of the easiest forms of cyber-attacks with ransomware, phishing, and spyware being the easiest form of entry. Third-party and fourth-party vendors who process/access your data are another common attack vector, making vendor risk management and third-party risk management an imperative part of your holistic cyber strategy.

According to the Ninth Annual Cost of Cybercrime study from Accenture and the Ponemon Institute, the average cost of cybercrime for an organisation (globally) has increased by $1.4 million over the last year to $13.0 million and the average number of data breaches rose by 11% from 130 to 145. Information risk management has never been more important.

From June 2019 to June 2020 in local, state, and federal governments, there were:

  • 800 cyber security incidents reported
  • 450 targeted central governments
  • 350 targeted states and local governments
  • 35% impacted critical infrastructure
  • 948 government agencies, educational entities, and health care providers impacted by ransomware

What is the impact of cybercrime?

The impacts of cybercrime can be varied and quite wide spread:

  • Economic costs: Theft of intellectual property, corporate information, disruption in trading and the cost of repairing damaged systems
  • Reputational costs: Loss of consumer trust, loss of current and future customers to competitors and poor media coverage
  • Regulatory costs: Data breach laws mean that your organisation could suffer from regulatory fines or sanctions as a result
    of cybercrimes

All levels of government, regardless of the size, must ensure all staff understand cybersecurity threats and how to minimise/mitigate them. There should be regular training and a framework to work with that aims to reduce the risk of data leaks or data breaches.

Given the nature of cybercrime and how difficult it can be to detect, it is difficult to understand the direct and indirect costs of many security breaches. This doesn’t mean the reputational damage of even a small data breach or other security event is not large. If anything, consumers expect increasingly sophisticated cybersecurity measures as time goes on.

Case study 1

A metropolitan local government received an email from a regular supplier, advising of changes to their bank account details. The email address was checked for authenticity with the current email address on file. Once confirmed, the bank account details of the supplier were updated.

The local government then received genuine invoices from the supplier for work carried out, and made payment in accordance with the changed details. A few days later the supplier contacted the local government advising that payment had not been received. Upon investigation, the most likely cause was that supplier’s system had been hacked by a third party and the perpetrator had sent the initial email advising the local government of the changes to bank account details.

Case study 2

A rural local government received an email from an employee who requested a change to their bank account details. The requisite form was supplied for the ‘employee’ to fill out. Once the completed form was submitted, it was sent to the payroll team for the employee’s bank account details to be updated.

A few weeks later, the employee advised that their wages had not been received. Upon investigation, the initial request to change bank account details had been fraudulent.

Case study 3

A large metropolitan local government was targeted in a high impact ransomware attack. Hackers gained access to their network and completely took over administrative privileges. The impact to the local government was several days of near-total IT services shutdown including limited/no access to phones, a complete server outage, limited end user computing capacity and a near inability for staff to work using technology at all.

Council had an IT partner and had invested in data-protection, firewalls, anti-malware, anti-spam, and anti-virus products, however due to the targeted nature of the attack, these were all unable to protect from this type of complex incident.

These claims were successfully made on the LGIS policy. Aside from the financial losses suffered by all parties involved, these scenarios also caused reputational damage and conflict with members’ business partners, particularly around determining responsibility for the loss and who would therefore bear the financial consequences.

Have a question you'd like answered?

Each month we take your questions to one of our LGIS team members to answer.

If you want to submit a question for next issue, email us at [email protected]

Share on Twitter
Share on LinkedIn

Other sections of this season's Risk Matters