A cyber security audit of local government entities in Western Australia showed vulnerabilities in some systems dating back to over 15 years.
The audit from the Office of the Auditor General Western Australia assessed a sample of 15 local government entities to determine how they manage cyber security risks and respond to cyber threats.
Local government entities use key systems to deliver services to their communities and collect information about residents and this information is attractive to cyber criminals according to Caroline Spencer, Auditor-General of Western Australia.
"LG entities need to understand and mitigate their cyber security risks.”
“In doing so, entity capability and public confidence in digital initiatives and government processes will be strengthened,” Spencer outlined in the report.
Conducting simulated attacks
For the audit, the team carried out black box simulated cyber attacks and sent test phishing emails to local government entities without their knowledge.
The black box approach is used to simulate a real-world scenario where tests are undertaken without any inside knowledge of the organisation’s IT environment or systems.
The team then worked with the Security Research Institute at Edith Cowan University to analyse the audit results.
The audit found that only three local government entities had adequate cyber security policies to govern and manage cyber security.
Nine local government entities had policies that were out of date or did not cover important areas, and the remaining three did not have a policy or framework.
“Without policies that clearly outline the principles and expectations of systems and employees, entities are at higher risk of compromise by cyber threats,” the report said.
“This may result in financial loss, reputational damage or disruption to the delivery of important services to their communities.”
The audit also found that only two local government entities had identified all their cyber risks, 10 had considered some but not all, and three had not identified any.
“If LG entities are not aware of their cyber risks, they cannot mitigate them,” the report said.
“This exposes them to higher risk of compromise which may adversely impact their business plans and objectives.”
No process for managing vulnerabilities
Most of the local government entities also did not have a process to manage vulnerabilities, with only three having a process in place and none of these were fully effective, according to the audit.
A penetration test is a simulated cyber attack that organisations can perform against their computer systems to check for vulnerabilities.
Only five of the local government entities had recently tested their security controls, two had not conducted tests since 2015 and one had never tested at all.
As part of the audit, the team used basic open source tools to simulate cyber attacks on the local government entities to test their response strategies.
Only three had their systems configured to detect and block the simulated attacks in a timely manner.
“It was concerning that nine LG entities did not detect nor respond to our simulations, and three LG entities took up to 14 days to detect the simulations, and only did so after the simulation intensity increased significantly,” the report said.
Ongoing training needed
Training staff to increase awareness of cyber security was not enough to prevent cyber attacks, according to the audit, which showed that seven staff who had undergone training still clicked on links in the test phishing emails, with some even submitting their username and password.
“This type of information can be used to compromise key systems or deliver malware to maintain long-term access into entity networks,” the report said.
“Cyber security awareness programs should be ongoing and focus on current trends.
“Further, if awareness programs are overly technical, individuals will not understand the cyber risks posed to their entity and their personal responsibilities.”
The audit set out seven recommendations for local government entities to adopt, including having processes to identify and address cyber security risks, ongoing awareness programs and technical controls to detect and prevent phishing emails.
All of the 15 local government entities have accepted the recommendations.