In the wake of recent cyber-attacks on government agencies, such as the Stonnington City Council and the Isaac Regional Council in Central Queensland, the cybersecurity landscape for Australia's 537 local government areas (LGAs) demands careful consideration. These incidents underscore the vulnerability of local councils to cyber threats, shedding light on the pressing need for robust cybersecurity measures.
The attack on the Stonnington City Council, which targeted its email gateway system supporting critical ICT infrastructure and third-party payment gateways, exposed a glaring vulnerability in the system and caused extensive damage operationally and financially. Similarly, the ransomware attack on the Isaac Regional Council encrypted and locked system files, highlighting the evolving tactics of cybercriminals.
Are LGAs a target for cybercriminals?
The perception that LGAs were once less likely targets has been shattered by these high-profile attacks and is enough for the Australian Cyber Security Centre to issue a warning that local governments, responsible for essential services like water and sewage, are becoming attractive targets for bad actors.
Despite these threats, a concerning trend persists where many LGAs are not giving due attention to cybersecurity. The latest NSW Auditor General Financial Audit Local Government 2022 report revealed that 47 per cent of all NSW councils lack basic governance and internal controls for cybersecurity. Moreover, a report from WA's Auditor General found that none of the 12 LGAs assessed met expectations across cybersecurity criteria, emphasising the need for urgent action.
Why are LGAs now a target?
Local governments handle a vast amount of personal information daily, ranging from business and development proposals to ratepayer and local household information. In addition, their threat surface is vast and riddled with vulnerability hotspots such as:
Limited Resources: Local councils often have limited budgets and resources, making it difficult to invest in robust cybersecurity measures.
Lack of In-House Expertise: Many local councils do not have in-house cybersecurity experts or dedicated IT staff with the necessary knowledge and skills to address cybersecurity threats effectively.
Diverse User Base: Local councils serve a diverse user base, including employees, residents, and local businesses. This diversity can make it challenging to manage and secure the various endpoints, applications, firewalls and access points.
Legacy Systems: Many local councils rely on legacy IT systems and infrastructure, which may be outdated and lack security features, or make endpoint protection challenging. Upgrading or replacing these systems can be costly and complex.
Limited Incident Response Capabilities: Local councils may not have comprehensive incident response plans or resources available. This can lead to delayed responses and increased damage in the event of a breach.
Supply Chain Risks: Local councils rely on various suppliers and third-party vendors for services and software. These supply chain partners can introduce cybersecurity risks, as vulnerabilities in their systems can be exploited to compromise the council's security.
Public Wi-Fi and Digital Services: Local councils often provide public Wi-Fi services and digital platforms for residents. These services can become attack vectors if not properly secured, potentially leading to data breaches or cyberattacks on users.
To mitigate the risk of cyber-attacks, LGAs must prioritise cybersecurity through a comprehensive approach. Moreover, the implementation of a round-the-clock robust security solution that delivers regular updates and reviews of IT systems and policies is vital.
Want to learn about how IPSec works with other Local Government Authorities in your area? Sign up to our LGA 360 Cybersecurity Educational Initiative.