Phase one results of the LGIS cyber pilot program are out and look concerning; phase two, starting in mid-2023, will develop resources to support the entire sector in building capacity and capability to address cyber vulnerabilities.
Rolled-out in 2022, phase one of the pilot supported participating members to better understand their exposure to cybercrime and develop targeted plans to address them. It also provided LGIS with a representative sample to better understand the sector's cyber risk position.
The pilot program highlighted a number of deficiencies across the cyber control environment with most local governments rating less than one (1) on the Australian Signals Directorate (ASD) 8 maturity scale.
Cyber experts assessed the risks associated with systems against ASD Essential 8 - looking at the controls that are implemented internally to manage system information security risks. The Essential Eight guide was introduced as part of the federal government's cyber security policy, released in October 2021.
The findings of this assessment were consistent with successive Office of the Auditor General (OAG) reports. All four local government reports starting 2019 found that the sectors cyber security readiness is inadequate. The most recent OAG report 'Information Systems Audit – Local Government 2021-22' released this year, audited 53 local government entities and found 324 control weaknesses ( of which 69% (225) of these weaknesses were unresolved issues from the prior year).
The 2022 JLT Public Sector Risk Report also highlighted cyber security among the top five risks for the sector both nationally and in WA.
The pilot program aimed to work out a baseline for local government's cyber control environment. The members selected were based on a range of factors such as size and internal cyber resources, service provider dependency, and regional challenges.
Focus areas to improve cyber security; pilot findings
Restrict administrator privileges
Most local governments don't implement appropriate controls to restrict administrator privileges. Control failure can open the door for both insider and outsider attacks with loss of personal information and potential reputational risk.
User application hardening
Poor implementation of appropriate controls on user application hardening. Hardening reduces security risk by eliminating potential attack vectors and condensing the system's attack surface.
Patch operating systems and patch applications
Automatic security patching of operating systems needs to be implemented. This is the most important control to ensure your organisation and customer data is secure against ransomware and other malware, which can take advantage of application vulnerabilities to hack your system.
Configure Microsoft Office macros
Proper controls and configuration of 'trusted macros' was poor across all participants. Macro configuration makes it more difficult for unauthorised programs to build 'self-replicating' code that can harm end-user systems.
Application control
Members need to have controls that uniquely identify traffic from various applications on a network. This enables an organisation to define and apply extremely granular security and network routing policies based upon the source of a particular traffic flow.
To have a chat about your cyber risk practices and how to manage them, please get in touch with your LGIS account manager.