Federal and State Governments are much better resourced when it comes to combatting cyber attacks, but cyber security is an increasingly critical issue for Local Government authorities.
Linda Scott, the president of the Australian Local Government Association, has called for more cyber security support for the sector after a series of recent attacks.
The ALGA, which represents 537 councils nationally, has asked for $10 million in funding to assess “local government’s preparedness to deal with cyber-attacks and data breaches.”
The organisation is also seeking the appointment of a dedicated chief information security officer to tighten procedures across the sector.
The call came after Isaac regional council, which covers an area north of Rockhampton and south of Mackay in Queensland, confirmed it had experienced a security breach in early April.
Isaac chief executive Jeff Stewart-Harris said the council’s IT systems had been shut down to protect data theft in the wake of the malicious attack, which was identified as ransomware.
“At this stage we do not have any evidence of large data uploads out of our system however this is still being fully investigated so can’t be guaranteed,” Stewart-Harris said.
Isaac Council is working with Dell Incident Response and Recovery Services and the Australian CyberSecurity Centre to understand the breach and implement security solutions going forward.
Stewart-Harris also called on federal support for the local government sector, saying that without more support councils were at risk of further data breaches with the potential for community based data to be compromised.
Other councils known to have experienced breaches include Warrnambool in Victoria, which was targeted in 2022, and two other Queensland councils, Noosa and Toowoomba.
Consulting group KPMG dealt with the issue in a December 2022 report, noting that councils are “extremely vulnerable” and had “only limited explicit policies and procedures and controls in place.”
“Local councils are being targeted by ransomware and other phishing cyber threats in an intention of service disruption and stealing valuable information for monetary gain,” the KPMG report said.
It noted several other examples, such as an attack on a Victorian local council in August 2021 which forced the council to disable many online services, including online payments, the ePlanning system and its call centre for over two weeks. It was forced to operate under ‘manual processes’ during this time.
Also, a city council in South Australia was hit by a ransomware attack in December 2021 resulting in encryption of its servers, which consequently caused substantial service disruption.
KPMG noted that few local governments had substantial IT budgets, “which means they have fewer specialised resources to safeguard against sophisticated attacks.”
“All local governments give attention to development of critical infrastructure assets such as sewage, water, utilities, playgrounds, schools, and community care facilities while attention for privacy and security of sensitive information often has little to no funding, despite underpinning all strategic and operational areas,” the report said.
“Since many of the basic cyber security controls are not in place, millions of community and staff members’ data will be left exposed if not fully secured.
“The other issue is that IT budgets are currently used for cyber security needs exposing conflicting priorities between the two functions in local government.”
