Local councils across New South Wales (NSW) play a vital role in providing essential services and infrastructure to communities. In an increasingly digital world, councils rely heavily on various information systems and software to efficiently manage operations. However, this reliance on digital technologies also exposes them to cyber security risks, which, if not managed effectively, can lead to significant disruptions and compromises in service delivery.

A recent audit conducted by the Audit Office of NSW in 2023 highlighted concerning gaps in cyber security risk management practices among local councils, necessitating urgent action to strengthen cyber resilience. The audit, focusing on three representative councils – City of Parramatta, Singleton Shire Council, and Warrumbungle Shire Council, revealed deficiencies in identifying, managing, and responding to cyber security risks.

About the Audit

The audit assessed the effectiveness of selected councils in identifying and managing cyber security risks from July 2021 to October 2023. It focused on risk management planning, cyber security risk identification and management, leadership and governance, and incident response processes. The audit excluded simulated exercises and compliance assessments with Cyber Security Guidelines.

Council Findings

The findings from the audits conducted on the selected councils shed light on the deficiencies in identifying and managing cyber security risks, including the absence of formal cyber security plans, ineffective governance arrangements, and inadequate monitoring of controls.  The following points are the themed key findings from the report.

• Identification of Cyber Security Risks: None of the audited councils effectively identified cyber security risks, with deficiencies in risk assessment frameworks and processes.
• Planning to Improve Cyber Security: Two councils lacked formal plans for improving cyber security, while one had a roadmap but lacked structured improvement initiatives.
• Resource Planning and Expertise: Councils exhibited varying levels of resourcing and expertise in cyber security, with deficiencies in workforce planning and documentation.
• Governance Arrangements: None of the audited councils had effective governance arrangements for cyber security, lacking mechanisms for regular reporting and oversight.
• Managing Cyber Security Risks: Policies and procedures across councils had gaps, and responses to recommendations were not timely or risk based.
• Cyber Security Training: While some councils implemented staff training, deficiencies existed in scheduling and regularity.

Guidance and Support for Cyber Security Management in LG

Various agencies, including Cyber Security NSW and the Office of Local Government, provide guidance and support to local councils for enhancing cyber resilience. The Cyber Security Guidelines specific to local government issued in December 2022 offer a roadmap for councils to bolster their cyber security posture. However, the challenge lies in the voluntary nature of these guidelines and the lack of mandated reporting on their implementation progress. Collaboration among government agencies, development of procurement guidelines addressing cyber security risks, and consistent engagement with councils are crucial in ensuring effective cyber security management across the local government sector.

Cyber Security Guidelines – LG Foundational Requirements

The Cyber Security Guidelines outline foundational requirements for local councils to enhance cyber resilience:

• Lead: Implement cyber security planning and governance, allocate roles and responsibilities, and integrate cyber security into risk management frameworks.
• Prepare: Foster a cyber security culture, conduct regular awareness training, and establish appropriate access controls.
• Prevent: Manage cyber security risks, implement Information Security Management Systems, and incorporate cyber security requirements into procurements.
• Detect, Respond, Recover: Improve resilience by detecting and responding to cyber incidents, maintain a current incident response plan, and report incidents to designated authorities.

External Assistance – Your Pivotal Partner in Augmenting Cyber Resilience

Management consulting can play a significant role in addressing the challenges faced by local councils in enhancing cyber resilience, particularly concerning the voluntary nature of guidelines and the lack of mandated reporting on implementation progress. Here’s how management consulting can help.

• Gap Analysis and Assessment: Management consultants can conduct comprehensive assessments of local councils’ current cyber security posture, comparing it against the Cyber Security Guidelines issued by agencies like Cyber Security NSW and the Office of Local Government. This analysis would identify gaps and areas for improvement.
• Strategy Development: Consultants can assist in developing tailored cyber security strategies and roadmaps aligned with the guidelines. This involves defining clear objectives, priorities, and action plans for implementation.
• Change Management: Implementing cyber security measures often requires significant organizational changes. Management consultants can facilitate change management processes, helping councils navigate cultural shifts, training needs, and stakeholder buy-in.
• Policy and Procedure Development: Consultants can assist councils in developing robust cyber security policies and procedures aligned with the guidelines. This includes governance frameworks, incident response plans, and employee training programs.
• Compliance and Reporting: While the guidelines are voluntary, consultants can help councils understand the importance of compliance and develop mechanisms for voluntary reporting on implementation progress. This could involve setting up metrics, benchmarks, and reporting structures to track progress and demonstrate accountability.
• Collaboration and Engagement: Consultants can facilitate collaboration among government agencies, councils, and other stakeholders. This involves organizing workshops, forums, and collaborative initiatives aimed at sharing best practices, resources, and insights.
• Procurement Guidelines: Consultants can assist in the development of procurement guidelines addressing cyber security risks. This ensures that councils incorporate cyber security requirements into their procurement processes when acquiring new technologies or services.
• Training and Capacity Building: Consultants can provide training and capacity-building programs for council staff to enhance their cyber security awareness and skills. This empowers employees to recognize and respond to cyber threats effectively.
• Continuous Improvement: Cyber security is an ongoing process that requires continuous improvement. Consultants can help councils establish mechanisms for continuous monitoring, evaluation, and refinement of their cyber security measures.

Effective cyber security management is imperative for NSW local councils to safeguard operations and protect sensitive information. By leveraging the expertise of management consultants, available guidance and support, local councils can overcome the challenges associated with enhancing cyber resilience and effectively implement the recommended guidelines to safeguard their digital assets and operations from the growing threats posed by cyber incidents.

Article written by: Chris Arancibia – Principal Business Consultant at Dynamic Corporate Solutions