In the firing line

Local government is in the cybersecurity firing line. Picture: SASCHA STEINBACH, EPA

By Tania Phillips and Eleanor Wilson

The Australian Local Government Association has called for more federal funding to combat cybersecurity threats following several high-profile incidents in recent weeks including attacks on Optus and Telstra staff files.

In July the service provider for City of Casey’s Bunjil Place e-newsletter, WordFly, also endured a security incident, potentially compromising the names and email addresses of thousands of users.

“Investing in local government will support Australia’s 537 councils to be better equipped to deal with increasing cybersecurity threats,” ALGA National President Linda Scott.

“Providing councils with more funding will allow them to better protect and manage their digital platforms and recruit suitable trained staff to support this work.”

Scott’s comments come as senior officials from two leading cybersecurity companies urge Councils to become more proactive protecting their data.

The CEO of DDLS is one of Australia’s largest providers of cybersecurity training.

Its CEO John Lang said there needed to be more cybersecurity education in local councils

“When we look at local council staff, it’s safe to say the majority are not cybersecurity experts, not even IT professionals,” he said.

“We have a diverse group of admin staff, accountants, communications specialists and more, who most likely have limited cybersecurity knowledge.

“Hackers know this and attempt to extract sensitive information by playing on human error, such as in the case of phishing attacks. Unfortunately, cyber-attacks are getting more sophisticated by the day, with many able to bypass traditional security tools like firewalls that previously provided sufficient protection. So the onus is on local councils to invest in cybersecurity education for their staff, and by that we mean not just for the few IT people, but the entire staff group.”

Mr Lang said councils and other organisations within the public sector had to move towards a proactive model of cybersecurity protection and increase training and education, rather than a reactive approach following a breach.

“Although many public sector organisations, especially smaller ones, may see cybersecurity training as an unnecessary expense or a low priority, it’s far more cost-effective to invest in training than deal with the cost and reputational damage of a data breach,” he said.

Scott Leach, vice president of Asia Pacific-Japan at International cyber-security firm Varonis reiterated that Councils could be a major target for an Optus-like attack.

“Local councils remain a key target for cyber-attacks due to the highly sensitive nature of files they produce and collect, which may contain personal information and confidential contracts for example,” he warned.

“It is recommended that councils take a proactive rather than reactive approach in order to prevent increasingly nefarious and sophisticated cyberattacks. A key way to do this is implementing a policy of least privilege, which means employees are only given access to the files necessary to do their jobs.

“By restricting access to their most sensitive information, public sector organisations can reduce the amount of damage that occurs if a hacker does manage to breach their network.

“With little or no access to sensitive files, ransomware is significantly less effective, saving organisations thousands of dollars if not millions in some cases and also severe reputational damage. This policy is an absolute bare minimum precautionary measure that all public sector organisations need to take.”

In a statement to email subscribers in July, the City of Casey clarified that the Wordfly incident did not affect any other e-newsletters sent by the City of Casey, which are sent via different email providers.

“On Saturday 16 July, WordFly confirmed that names and email addresses of those subscribed to the Bunjil Place e-newsletter may have been impacted,” the council said.

“There is currently no evidence that any of this data has been misused.”

The council added that users’ Bunjil Place accounts, which contain more sensitive information, are not stored in WordFly and were not affected by the incident.