According to a recent annual evaluation, there are significant cybersecurity risks in Queensland’s local government organizations. The review tells the deficiencies in information systems and inadequate cyber training. It also underscores the essential role that leading cybersecurity companies play in identifying and resolving these vulnerabilities.
Systemic Weaknesses in Information Systems
The Queensland Auditor-General’s 2023 report states, “Two-thirds of Queensland’s 77 councils have weaknesses in the security of their information systems.” A total of 113 issues were found throughout the evaluation, comprising 66 newly identified flaws and 47 unsolved problems from earlier audits.
The report also says, “Forty-five councils have at least one deficiency in their information technology systems, and fourteen councils have one or more significant deficiencies in their information systems that have not been resolved for over a year.” Excessive access that system users are provided is the main cause of these problems.
Specific Deficiencies Identified
The report points out various deficiencies, such as “not having strong controls for passwords to access systems” (4), “not having good processes to manage changes to systems” (10), “not having complete, up-to-date policies and procedures” (10), “having gaps in their cyber and system security controls” (11), and “other deficiencies” (22).
Lack of Cybersecurity Training
The annual review report found that a quarter of councils had not provided the required cybersecurity training to their staff. Back in 2019-20, the Auditor-General suggested “conduct mandatory cyber security awareness training.”
“There are 17 councils that have still not developed and implemented mandatory cyber security training for their staff as we recommended three years ago. These councils, combined, have 30 deficiencies in their information systems.”
The Auditor-General said that it will soon release a report that includes recommendations to strengthen cyber resilience as well as a more in-depth analysis of the industry’s vulnerabilities.
“We are finalising a performance audit on insights and lessons learned on entities’ preparedness to respond to and recover from cyber attacks,” it stated.
“We encourage councils and the department to review this report when it is tabled and implement any recommendations relevant to them.”
Warning on Unresolved Deficiencies
The report issues a stern warning, stating, “When significant deficiencies remain unresolved for a long time, they may result in increased exposure to cyber-related risks, including loss of personal information or disruptions to services” and “reputational damage to the council.”
In April of last year, the Isaac Region Council was the target of a ransomware attack. Other councils in Queensland may have experienced unreported cyber intrusions. Also, a latest news says local governments won’t be subject to the state’s statutory data breach notification program until mid-2026, despite it being enacted in November.
“As cyber security threats increase in number and sophistication, councils must promptly address any weaknesses in their information systems,” the Auditor-General said.
“Councils need to make sure their staff remain vigilant to detect and mitigate threats, prevent human errors, and adapt to evolving cyber risks.”
In light of Queensland councils’ vulnerabilities, Mr. Manish Chaudhari, CISO of Cybernetic Global Intelligence, stresses the essential role of cybersecurity companies in contemporary times. Recognising the critical need for robust defences, he highlighted that cybersecurity auditors are indispensable to ensuring proactive measures that can safeguard sensitive data and bolster overall security resilience.