More than a third of local councils across NSW are still without basic internal controls and governance arrangements for cyber security, the state’s auditor-general has revealed.
In its annual audit of the local government sector, the NSW Audit Office found poor management of cyber security at 58 of the state’s 128 local councils, nine county councils and 13 joint organisations.
“Fifty-eight councils have yet to implement basic governance and internal controls to manage cyber security,” the report [pdf] released on Thursday said.
It said this included “a cyber security framework, policy and procedure, register or cyber incidents, penetration testing and training”.
Bellingen Shire Council was singled out in the report for its lack of a cyber risk framework and policy (a repeat finding), as was Maitland City Council for having gaps in its cyber security controls.
Newcastle City Councils was similarly found to have no formal IT policies and procedures for cyber security, as well as access management and incident management.
Maitland City Council and Newcastle City Council were also found to have no cyber security awareness program.
While the result is an improvement on last year, when 80 percent of councils were found to have no formal cyber security policy, the audit highlights the ongoing struggle to address IT security risks.
The audit notes that while there is no requirement for councils to comply with the NSW government’s cyber policy, “councils may find it useful to refer to the policy for further guidance”.
Cyber Security NSW is currently working with the Office of Local Government with the Department of Planning, Industry and Environment to develop an industry-specific cyber security policy by July.
It follows a recommendation in last year’s local government audit that the Office of Local Government do so to “ensure a consistent response to cyber security risk across councils”.
The government has also since extended the remit of Cyber Security NSW to include councils and smaller agencies thanks to a $60 million investment in the central cyber office last year.
The peak body for councils in the state, Local Government NSW, last year criticised the government for failing to support cyber security in the local government sector.
The audit report also found that 64 councils “did not formalise and/or regularly review their key IT policies and procedures.
A further 43 councils “did not perform a periodic user access review to ensure users’ access to key IT systems” were appropriate and 68 councils “did not monitor privileged accounts’ activity logs”.