Building cyber resilience in local government

14 October 2016

Leon Fouche, National Leader, Cyber Security |

Local governments are the lifeblood of many Australian communities, so it should come as no surprise that they are also the keepers of a large volume of incredibly sensitive data. Think residential addresses, payment information, land holding details and credit history, just to name a few. This type of data is extremely valuable, especially on the ‘black market’.

With cybercrime on the rise, and cyber security increasingly being considered an integral part of national security, local governments must take a proactive approach to their cyber security. A technically-driven defence that lacks a targeted focus on key assets, planning and governance will simply not stand up to the test in today’s operating environment.

Focus on detection and response capabilities

Regardless of whether or not an organisation has experienced a cyber incident, best practice is to hold the view that such incidents are inevitable. Attention should be placed on reducing the risk of such occurrences taking place, managing the organisation’s response when they occur, and putting in place robust business continuity plans to minimise impact to the organisation. That is, an increased focus on detection and response capabilities, rather than relying only on preventative and protective security controls.

What has become increasingly clear is that cyber security is now a major governance issue. Regulators, employees, customers, shareholders and government organisations at all levels should be looking to their boards and senior management to take the lead. Despite this, many organisations are still taking a ‘head in the sand’ approach to cyber security — holding the view that it ‘won’t happen to us’ or ‘the IT department will deal with it’.

Cyber security trends in the public sector

In recent times, my team and I have observed first hand an increase in the following threats facing local government:

  • Website defacement – cyber adversaries gaining unauthorised access to an organisation’s website content, allowing them to edit a public facing website
  • Distributed Denial of Service (DDoS) attacks – attacks designed to flood internet links with large volumes of requests, degrading their performance or rendering communication links inoperative
  • Phishing – email scams and attempts by scammers to elicit sensitive and/or personal information from employees
  • Ransomware – cyber criminals install malicious software designed to lock access to information systems until a sum of money is paid to regain access. This is becoming more prevalent of late
  • Data leakage – confidential or sensitive information is ‘leaked’ from corporate information systems via employees, contractors or suppliers.

Like most organisations, local government is becoming increasingly susceptible to cyber attack, as many cyber adversaries have discovered that they make attractive targets because of the value of the data they hold and the perception that they are easier to penetrate than large organisations with dedicated security teams. This gives many cyber adversaries the view that local government would be less likely to catch an adversary in the act. The latest Cyber Threat Report from the Australian Cyber Security Centre (ACSC) provides some case studies of recent cyber attacks in the public sector

How local government can increase its cyber resilience

A good starting point when it comes to tackling what can seem like an insurmountable task is for local government organisations to assess their level of risk.

BDO’s Cyber Security Health Check was designed for this purpose, providing a practical way to identify opportunities for improvement and areas of existing strength to be leveraged.

The Health Check draws upon benchmark data to assess an organisation’s core cyber security functions, including:

  • Identifying appropriate safeguards to ensure delivery of critical services
  • Protecting systems, assets, data, and capabilities from cyber security risk
  • Detecting the occurrence of cyber security events
  • Responding to detected cyber security events
  • Recovering and restoring any capabilities or services that were impaired due to cyber security events.

Whilst perfect cyber security may not be possible in today’s continually evolving digital landscape, a practical and robust cyber resilience framework is well within the reach of any organisation, including local government.

What our experience has proven for certain is that the impact of an incident is greatly reduced when an organisation’s leadership makes certain that cyber incidents are handled appropriately, supported by effective communication both internally and externally to manage the outcome.

If you want to know more about enhancing cyber resilience within local government or other areas of the public sector, contact me for a discussion about the key considerations for your organisation.