Skip to main content

Developing Cyber Security Standards and Improving Cyber Risk Management in Councils

 

Hear from Jacqueline Hiddlestone, IT Innovation Program Manager, Canterbury – Bankstown City Council on how to cultivate a council-wide cybersecurity culture and provide effective training for staff

Local government councils have many issues to manage and many concerns to worry about. One such issue is or should be cyber security. Councils are often the closest tier of government to the citizens, and thus an issue of this kind is relevant to both the staff and the citizens as it has the potential to have enormous impacts.

Jacqueline Hiddlestone, the IT Innovation Program Manager at Canterbury Bankstown City Council in Sydney, says that councils need to be particularly aware of cyber security because they need to “create the knowledge, awareness and urgency to address the risk across their organisations.” This is particularly necessary because of the proliferation of cyberattacks in recent years, and this is a trend that is only going to “increase exponentially across the globe.”

By global standards, Australia is ranked sixth in the world in terms of countries most susceptible to cyberattacks, with the USA and the UK at the top of the list, based on recent data. This data suggests that Australia had 16 “significant” cyberattacks from 2006 to 2020, and it defines that as an attack that affected government agencies or other large corporations and resulted in losses of more than $1 million. In 2020 alone, there were global attacks at a number of large companies across the world, some resulting in losses of “$20 million or more.” All of this highlights the “dangers of supply chain attacks and has a major impact on the countries and organisations concerned.”

Looking after the cyber security of an organisation is therefore critical, and doing so can be defined as “the practice of defending computers, servers, mobile devices, electronic systems, networks and data from malicious attacks and threats.” To help organisations protect themselves, the federal government’s “Office of the Australian Information Commissioner published a Response Plan in June 2018.” It defined “notable data breaches and noted that breaches can be triggered through human error, deliberate attacks or technical failure.” In NSW, this plan was followed by the release in February 2019 of the “NSW Cyber Security Policy as part of the Department of Customer Services’ Beyond Digital Strategy.” It lists the “mandatory 25 requirements for cyber security, and covers all measures, from information processes stored or communicated, to compromises of confidentiality, integrity or availability.” This is a policy that is required by all agencies “to enhance their organisational resilience. The embedment of the policy has already made a difference.”

Councils play an important role in mitigating risks

At a local government level, it is important to “cultivate a council-wide cyber security culture, and associated policies and frameworks.” In general, “councils are far more risk averse than many other similarly sized organisations.”

“Implementing effective information controls and cyber training for staff should be at the forefront of cyber awareness for councils. This requires councils to establish appropriate systems to manage cyber security risk effectively, and to make better and more informed decisions.”

Jacqueline Hiddlestone, IT Innovation Program Manager, Canterbury Bankstown City Council (NSW)

Councils need to follow “cyber risk management guidelines” that generally deal with the uncertainty of risk. After all, there is a risk in doing almost anything, from crossing the street to riding a bike. The important thing is to “mitigate the risk. That is key.” In terms of cyber security risks, there are three things to keep in mind: “the perception that something could happen, the likelihood of it actually happening, and the consequences or impacts if it does happen.” The level of risk is therefore determined by “combining the likelihood and the consequences.” Any action that a council or any other organisation takes to mitigate the risks “must be capable of reducing the likelihood and all of the consequences, which in turn reduces the level of risk.” Risk mitigation and management is all about reducing the level of risk “to an acceptable threshold level within the respective council’s risk appetite, and taking into account the nature of the risk.”

Any council or similar organisation has “exposure points, or attack vectors.” These are things like passwords, internet connectivity, network controls, accessibility and many others. Without things like these, organisations would not be able to function, yet it is important to realise that all of them could be compromised. Security controls are therefore necessary.

“Councils need to establish a system to process, identify, analyse and treat cyber security risks seriously. If unaddressed, cyber risks could prevent councils from effectively achieving their strategic, operational and project objectives, as well as their statutory and community obligations.”

Jacqueline Hiddlestone, IT Innovation Program Manager, Canterbury Bankstown City Council (NSW)

Managing risks is all about looking at where exposure could come from, and this “should be integrated into the culture, business practices, and strategic planning across the organisation.” Many organisations follow a cyber security framework, which “offers a systematic approach for informed decision-making and the minimisation of risk.” The framework provides the “policies, procedures, systems and processes that are essential to applying effective cyber security management.” Often the actions that come out of such a framework include “staff training, the development of new processes, or improvements to current processes.”

Many of the risk management strategies are derived from international ISO standards and include a range of risk identification and mitigation techniques. For instance, the need to “communicate and consult with stakeholder to provide appropriate information,” and the need to “contextualise and define the parameters” before beginning the process.” It is also a good idea to determine “the risk appetite or tolerance of the organisation,” and to take notes and review the risk management process on a regular basis. Moreover, there are always internal and external factors that need to be considered, such as “legislation and regulation, the impacts on staff and the community, and what effect an attack might have.” Although prevention is always preferred, it is important to think about how the impacts of an attack could be limited, and what recovery will look like. Some of these insights might influence the risk management strategies.

Another thing that is absolutely necessary to consider and make time for is staff training. “A recent report indicated that up to 86% of infiltration occurred via work email addresses.” Staff therefore need to be trained to “identify potential phishing, and know when and how to report it.” Backing up data regularly is also essential, though there are potential infiltration points there as well. “Having the knowledge of when to declare an incident, how to stop an incident and how to take an effective action, are all part of the management of cyber risks.”