Audit: Western Australia Auditor General’s Local Government Information Security Audit 2021-22 reports 324 control weaknesses
West Australian Councils Audit Report 29 March 2023
Western Australia Auditor General’s Local Government Information Security Audit 2021-22 reports 324 control weaknesses
Cyber security concerns as council’s network rack found in staff toilet
Western Australia Auditor General Report: Information Systems Audit – Local Government 2021-22
Media Report:Cyber security concerns as council’s network rack found in staff toilet | Government News
Local government is facing increasing cyber security risks as councils adopt technologies designed to deliver services and efficiencies, West Australia’s auditor general has warned.
Auditor General Ms Caroline Spencer said 324 general computer control weaknesses were reported to 53 local government entities for the 2021-22 year. ‘Disappointingly, 69% of these weaknesses were unresolved issues from the prior year, including 27 of the 31 significant findings.
The report includes a number of case studies that the local government sector and community can learn from:
- One entity did not have a cyber security awareness program despite experiencing threecyber attacks in three years. The entity attributes these attacks to phishing or poor password hygiene. We first raised this issue with the entity in 2020.
- In 2022, an entity’s staff account was compromised and used to instigate a phishing attack on third parties. The entity did not have a cyber security incident response plan to coordinate a response and communicate with impacted third parties. We had recommended, in 2021, the entity develop a plan.
- At one entity we found poor physical control around IT infrastructure, along with the back door to the office and records room left unlocked during the day despite being publicly accessible. Cash takings were also left in an unlocked safe. These weaknesses increase the likelihood of unauthorised access to systems and theft of public property and information
- One entity had not configured its finance application to stop the same individual from approving purchase orders and invoices for the purchase of goods and services. Although the entity had manual controls in place, these could be bypassed.