Cyber-security failure a risk to local government

Risk Matters - Winter 2022

At the end of 2021 local government leaders across Australian ranked cyber-security failure as their number two risk, just behind financial sustainability. Local government leaders are not alone in their concern, when Australian business leaders responded to the January 2022 Marsh Executive Opinion Survey cyber-exposure topped their list.

Globally there has been a dramatic surge in cyber-events with the cost of cybercrime estimated at $US6.9 billion in 2021.

In Australia the Australian Cyber Security Centre (ACSC) received over 67,500 cybercrime reports, an uptick of 13% from the previous financial year. During this period a higher proportion of incidents were categorised as ‘substantial’ in impact.

No sector of the Australian economy was immune from the impacts of cybercrime and other malicious cyber-activity. Government agencies at all levels, large organisations, critical infrastructure providers, small to medium enterprises, families and individuals were all targeted over the reporting period – predominantly by criminals or state actors.

Heightened frequency and severity of cyber claims have led to a significant increase in global commercial insurance pricing for cyber-cover for the first quarter of 2022 – 110% in the US and 102% in the UK. According to a new report from Marsh and Microsoft nearly 75% of organisations globally have experienced cyberattacks.

Ransomware attacks have become particularly pervasive, with 71% of global leaders ranking it as their number one cyber-concern according to the latest State of cyber resilience report from Marsh and Microsoft.

Other sections in this season's Risk Matters

Types of cyberattacks experienced by organisations

From a WA perspective LGIS has seen a small increase in cyberevents and we know that it’s on the mind for the local government sector. Many of the breaches that we’ve seen have been a result of phishing attempts targeting human imperfection and a tendency to trust.

The WA Office of Auditor General (OAG) conducted an audit of 15 local governments in November 2021. Unfortunately, the OAG found that local governments had not managed their cyber-security risks well. Out-of-date software accounted for a large number of cyber security vulnerabilities and despite staff awareness training, over half of the audited entities did not have controls to prevent their staff falling victim to social engineering attacks (for example phishing emails). Most of the local governments audited also lacked appropriate incident response and recovery plans to respond to cyber security incidents and recover key systems.

Against this backdrop, it is imperative that local government leaders develop an organisation wide approach to cyber resilience – all leaders should assume that an attack will come, it’s a matter of when and how prepared your organisation is.

Australian cyber-vulnerability trends

1. Digital everything

Businesses and individuals are increasingly dependent on digital systems and this has been further accelerated by COVID-19. In the past 18 months the take up of cloud service providers, data aggregators, and application programming interfaces (API) has been striking; unfortunately, these technologies often result in less protection against cyber-intrusion.

In parallel, the appetite for organisations to operate multiple technologies working in concert – enabled devices, edge computing, block chain, and 5G is growing. While tremendous opportunities for business operation these same capabilities also expose users to more harmful forms of digital and cyber-risk.


2. Increasingly sophisticated attacks

According to the latest data from the Australian Cyber Security Centre (ACSC), one cybercrime was reported in Australia every eight minutes in 2021, a 13% increase from the previous year. Digital transition and transformation have increased the cyber-threat landscape for organisations.

Exploiting vulnerabilities in free access coding has also proved fruitful for criminals. For example, in December 2021, just one week, after discovering a critical security flaw in widely used software library Log4j, more than 100 attempts to exploit the vulnerability were detected every minute.

The Log4j vulnerability is now so widespread that it potentially impacts all aspects of the Australian economy, resulting in indemnity providers withdrawing coverage for Log4j link vulnerabilities.

 

3. Digital hygiene gaps and cyber-worker shortage

95% of cybersecurity issues are traced to human error, and insider threats (be they intentional or accidental) represent 43% of all breaches. All organisations need to improve basic digital hygiene as well as organisational controls and governance.

In addition, there is an undersupply of cyber professionals – a gap of more than 3 million worldwide. This is a critical shortage of people who can provide cyber-leadership, test and secure systems and train people in digital hygiene.

Protect or pay – consequences for local government

Australian governments, at all levels, are seeking to protect against and mitigate their cyber-exposure. The traditional Scheme protections of property, liability and professional indemnity are not intended to respond to the most significant business impacts that may result from a cyber-event. That’s why LGIS provides all members with cyber-protection tailored to the needs of the WA local government sector.

Cyber-protection will continue to be an important risk financing tool that LGIS members use to recover financially from a cyber-event. However, as threats continue to grow, there is an expectancy from LGIS (and our indemnity providers) that local governments are also bolstering their cyber-resilience.

As previous incursions (like SolarWinds) have demonstrated, exposure to vendors and supply chain partners must also be assessed and managed. The Scheme recognises the interconnected nature of technology and systems; a local government does not have to be the primary victim of an attack to suffer from the consequences of one. The impact of disruptive cyberattacks could be financially devastating for members that fail to invest in protections across their entire digital infrastructure.

Building local government cyber-resilience

It’s clear given the cyber-environment, alongside the climbing costs of cyber insurance commercially, that building resilience will be key for local governments moving forward.

Cyber-risks need to be appropriately managed and rated according to the type and severity of the risk to the organisation – and not a ‘tick the box’ line item in the risk register. Local governments should consider the essential elements of cyber security from strategy, governance, and enterprise risk management to controls architecture, implementation, and management.

In 2022 LGIS will launch a pilot program to assist our members in understanding their current cyber-security position. This will allow members to prioritise their cyber-strategy across the organisation.

Most importantly cyber will need to become everyone’s responsibility – it can no longer be relegated to the IT department as ‘their job’ to look after.

For more information about cyber-protections and risk management talk to your LGIS account manager.

Case study 1: Local government caught in phishing net

The following is a case study of a cyber-event experienced by an Australian local government.

The local government’s former facilities officer engaged a local firm to undertake maintenance on their office building. The work was completed and a valid invoice for over $60,000 was issued via email to the former employee. The former employee forwarded this invoice to the local government’s accounts payable team.

Later, the contractor called the local government enquiring as to when they could expect to be paid. The creditor account showed the invoice as being paid. The local government asked the maintenance vendor for confirmation of their bank account details. At this point, it was determined that a fraud event had occurred and payment had been made to a fraudulent account.

Investigations revealed that around the time the legitimate invoice was received, the former employee’s Microsoft Office 365 email account was compromised by a threat actor. It appears the threat actor monitored email traffic through the account. The threat actor accessed the Office 365 mailbox and created a series of email rules. These rules allowed the threat actor to impersonate the former employee using his actual mailbox and be undetected.

The threat actor then sent an email from the former employee’s mailbox with a fraudulent copy of the invoice requesting bank account details to be changed from what was on the original valid invoice. Payment was subsequently made to the updated and fraudulent account.

The local government has since paid the legitimate invoice and is seeking reimbursement for the funds paid to the fraudulent account.

This incident emphasises the importance of exercising due diligence when processing payments and changes in bank account details. Local governments should consider having a verification process in place when vendors request a change in bank details.

It is important to use existing contact details provided by the vendor rather than rely on contact details provided within the email as these could be fraudulent.

Case study 1: Held to ransom

The following is a case study of a cyber-event experienced by an Australian local government in a remote, regional location.

First Incident

In early 2020, the local government identified a number of suspicious events via its antivirus platform, Webroot, which indicated that there may have been unauthorised access to their network.

Shortly after these suspicious events were identified, the local government conducted a preliminary investigation via their external IT vendor. That vendor also enlisted the assistance of a forensics firm.

The forensics consultant determined that a server on the local government’s network located in a depot server room at their premises was accessed by an unknown attacker and encrypted with ransomware along with one workstation and some other machines.

The protection provider was notified that month and for unknown reasons, the local government later withdrew their cybernotification despite them having a valid claim.

The protection provider was advised that further investigation was required to determine the key elements of the attack, including the initial entry point, the scope of compromised accounts and hosts, the attacker’s activities across the network and whether access was still available to the attacker. The local government was advised however, they proceeded to withdraw the claim.

Second Incident

In mid-2020, the local government notified the protection provider of another cyber-incident where it lost access to its systems. Upon inspecting its server infrastructure, the internal IT department found that a number of files were encrypted. The encryption encapsulated all of the local government’s major business systems, including its finance and payroll system required to pay its employees. The encrypted files were appended with ‘.thanos’ and ‘.eruption’.

The local government’s backups were also comprehensively encrypted. A ransom payment was requested by the threat actor. The local government appointed a forensic investigator, to look into payment of the ransom in order to obtain decryption keys. The investigator stated the bitcoin ransom amount converted to over $90,000. The local government ultimately paid two ransom demands in Bitcoin through their forensic investigator to obtain appropriate decryption keys.

An investigation determined the two incidents were related events.

Costs

Total costs for this claim are estimated to be $140,000.

Share on Twitter
Share on LinkedIn

Other sections of this season's Risk Matters