A report surveying local government CEOs and General Managers has found that cybersecurity is the second biggest risk for local government following financial sustainability.
Many Council IT departments have to deal with old and legacy systems that are either out of support or “locked out” of being able to apply contemporary security updates and patches. That, coupled with the lack of human and financial resources, leaves cyber security as a “nice to have”. The fact that Councils are now adopting “Internet of Things” and “Smart City” technology, increases risks to Councils’ data and their communities’ privacy.
The Local Government Professionals Australia (“LGPA”) outlines five key recommendations for the federal government to act on. The first is to develop a set of standards and compliance certifications. LGPA’s CEO argues that if there were standards, Councils could work to a degree of efficiency across the sector.
The second recommendation is to increase government-provided incentives and training in the recruitment of IT personnel who specialise in cybersecurity. Council personnel generally lack staff training and awareness; not just for IT personnel, but for all staff (including Executives) so as to enhance a Council’s security and privacy culture.
The third and fourth recommendations are to provide resources and training to staff and make it easier to find relevant information on the Australian Government’s Australian Cyber Security Centre resource site.
The fifth recommendation is a call for the federal government to assist in the identification and classification of critical infrastructure. Many Councils manage regional airports, sports, key roads, water and sewerage and even mines. Some of these could be considered primary or secondary critical infrastructure, meaning that if they were wiped out by a cyber-attack, it would cause a significant impact on the community.
The five key recommendations (summary)
The LGPA has made a submission to the federal government’s 2020 Cyber Security Strategy reflecting the following five recommendations:
1. Developing a minimum set of standards and compliance certifications or expanding the application of existing Commonwealth standards to local government
2. Increasing Australian Government-provided incentives and training in the recruitment of skilled IT workers in the cybersecurity field, particularly in encouraging work in regional and remote areas
3. Providing resources and training assistance to improve or deliver cyber awareness training for the broader local government workforce
4. Improving the ability to find the relevant material through filters or industry specific pathways to improve the functionality and uptake of the Australian Government’s Australian Cyber Security Centre resource site
5. Assisting in the identification and classing of critical infrastructure and then developing appropriate management plans to increase the understanding of risk and thus the security of this infrastructure.