West Australia’s local governments need to improve their computer controls, according to an audit which found 328 weaknesses in a survey of 50 councils.
Ten per cent of the weakness were rated as significant and requiring prompt action. Seventy-two were moderate and only 18 per cent were rated as minor.
“All these weaknesses could significantly compromise the confidentiality, integrity and availability of information systems, and the LG entities should act promptly to resolve them,” the WA Auditor General’s report Local Government General Computer Controls concludes.
The report takes in the results of a series of information systems audits across 50 WA local governments in 2020, as well as audits on 11 councils across information security, business continuity, IT risks, It operations, physical security and change control.
None of the 11 LG entities met expectations across all six categories, auditor general Caroline Spencer said, and all 11 were below the benchmark on information security. Seventy-nine per cent were below the minimum benchmark across all six categories.
“We found weaknesses in controls for information security, business continuity, change management, physical security and IT operations. Entities also need to improve how they identify and treat information risks,” she said.
Ten common problems:
- Lack of information security policies and staff training about potential cyber threats
- Lack of policies , procedures and processes to manage technical vulnerabilities
- Failure to segregate internal networks from external facing systems
- Poor remote access controls, including lack of multi-factor authentication
- Failure to restrict and control privileged access to networks and systems
- Inadequte controls to secure emails an business information
- Lack of up-to-date business continuity and disaster recovery arrangements, or failure to regularly test those that existed
- Lack of polices to document, assess, review and report IT risks
- Failure to control and monitor user access
- Lack of appropriate policies and procedures to implement changes
The report also provides real-life examples of how poor computer controls had resulted in breaches, theft of sensitive and confidential information and financial loss.
These including one council where a user’s account details were stolen in an undetected phishing attack, resulting in a fraudulent transaction on a corporate credit card and the downloading of 10GB of sensitive emails.
In another case a password that hadn’t been changed since3 2002 was used out of office hours and the council was unable to explain its use.
Warning to councils
Ms Spencer said information systems underpin most aspects of operations and services and hold information about the public and community that is confidential and needs to be protected.
“It is important that entities implement appropriate controls to maintain reliable, secure and resilient information systems,” she said.
She said her audit didn’t name individual councils this time but warned this could change to provide an incentive for them to more
promptly address shortcomings.
The WA audit echoes the findings of an investigation by the South Australian Auditor General released in February, which also found cyber governance was lacking in local government in that state.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.
Sign up to the Government News newsletter