New Cyber Pilot Program to help members identify and address cyber risks

Risk Matters - Spring 2022

LGIS is piloting a cyber-risk program in 2022 designed to help members better understand their exposure to cyber crime and develop targeted plans to address them.

The Office of the Auditor General (OAG) released their Information Systems Audit Report 2022 – Local Government Entities in June. After an audit of 45 local government entities for calendar year 2020 to 2021, the report found that the sector is performing poorly in terms of cyber security.

Over the 2020-21 period the OAG reported 358 control weaknesses for 45 entities, compared to 328 weaknesses at 50 entities in the previous period. 10% of this year’s weaknesses were rated as significant and 71% as moderate. These weaknesses represent a considerable risk to the confidentiality, integrity and availability of entities’ information systems and need prompt resolution. 

Other sections in this season's Risk Matters

Where we’ve been

Over 120 people attended the CEO Breakfast or Local Government Risk Forum on Tuesday 6 September 2022, at Crown Perth.
Representatives from across the state — from Port Hedland to Esperance and everywhere in between joined together to network and explore current risk issues for the sector.

Read More »

LGIS understands these concerns and through our new cyber-risk pilot program. We aim to support members in improving their cyber-security practices.

Our program is designed to analyse and benchmark current cyber-security practices and controls, and identify areas for improvement to build capability and boost members’ security position.

This involves assessing the various controls that the member implements internally in its control environment to manage the information security risks associated with its systems.

The Essential 8 Framework developed by the Australian Signals Directorate (ASD) has a prioritised list of baseline security controls that organisations can implement to protect and improve their cyber-security. These eight controls can mitigate up to 85% of cyberattacks.

What are the Essential 8 security controls?

1. Application whitelisting

Pre-Approved software should only be allowed to run on your network and enforced through whitelisting.

2. Patch applications

Regular patching should take place to fix security vulnerabilities in software applications.

3. Configure Microsoft Office macro settings

Macros from the internet should be blocked, and only vetted macros with limited write access or macros that are digitally signed with a trusted certificate are allowed.

4. User application hardening

Application hardening should be implemented and involves disabling unsecure and unused services, such as Flash, Java, and web ads from applications. It also restricts the use of applications that are known to be vulnerable.

5. Restrict administrative privileges

Restricted administrative privileges should be applied to operating systems and applications based on user duties. These should be restricted to only those who need them. Regularly revalidating the need for privileges is essential to maintain correct levels of access.

6. Patch operating systems

Patching fixes security vulnerabilities in operating systems and should be conducted frequently.

7. Multi-factor authentication

Multi-factor authentication ensures users are granted access only after successfully presenting multiple, separate evidences of authenticity and should be implemented across all users.

8. Daily backups

Regular back up should take place with all data and stored securely offline or at an alternate site such as a secondary data centre or in the cloud.

How will the Cyber Pilot Program help LGIS members?

The program’s key objective is to gather information on how our members currently manage cyber-risks, giving due consideration to concerns around issues like obsolete software, ransomware management processes and cost of recovery for back-up technology.

At the end of 2021 local government leaders across Australia ranked cyber-security failure as their number two risk, just behind financial sustainability. 

It’s clear, given the cyber-environment alongside the climbing costs of cyber protection, that building resilience against cyber-risks will be key for local governments moving forward. Our cyber-pilot program will be a key factor in helping local government members develop resilience against cyber-risks. 

For support on improving your local government’s cyber-security practices, contact the LGIS risk team. 

Share on Twitter
Share on LinkedIn

Other sections of this season's Risk Matters