Five things local councils can do to build cybersecurity resilience

Australia’s more than 500 councils face a unique array of cyber resilience challenges, owing to the broad range of services they provide. Local government responsibilities cover everything from roads, waste collection and management, recreation facilities, and health and community services, to cultural facilities like libraries and art galleries, and — in regional and rural Australia — water, sewerage and aerodromes.

Each of these distinct areas often has its own associated technology systems. Modes of connectivity to and from these sites also differ, depending on the size of the local government area and the geographic spread of locations that make up its various operations.

A lot can potentially go wrong.

There can be issues with software systems, such as a bad update or a local connectivity outage that causes service or performance degradation at one or more locations. Application and network complexity also means that local councils have a broad attack surface — represented by the number of potential routes into the environment that threat actors could exploit.

From a cyber resilience perspective, whether an outage is the result of a cloud or software issue or a cyber attack may be neither here nor there if the result is the same: system downtime that results in services being slow or unavailable, and frustration for ratepayers.

Local governments need to insure against things that might threaten their operational resilience. Some of that ‘insurance’ involves having access to skilled resources. There tends to be big differences in the resourcing levels that exist in the largest metropolitan councils and those in more regional and rural zones. The number of people dedicated to cybersecurity, resilience and operational improvement internally can vary substantially.

Other ‘insurance’ may be provided by specific IT monitoring and security software suites. However, software alone does not offer complete protection; it needs to be supported by people and processes to be effective. Managed services are one way that smaller local councils can bridge these gaps.

For local governments that are looking to uplift their cyber resilience, or just get a better sense of where they can improve, there are five impactful actions that can be taken.

1. Take a broader view

Cyber resilience needs to be addressed at a whole-of-council level, and not on a function-by-function or system-by-system basis. The latter can occur when an outage or attack disrupts one aspect of council operations, so it naturally becomes a priority area for remediation, or if the scale of operations makes it too difficult to determine where the right place to start is.

Looking at and understanding the resilience challenge holistically is important in prioritising efforts and investments effectively.

2. Treat cyber resilience like workplace health and safety

Local governments prepare and publish workplace health and safety statements that outline their WHS principles, speak to the organisation’s commitments to safety and explain what actions are expected if an issue or risk is identified. Cyber resilience can benefit from the same structured approach.

A cyber resilience statement can outline the council’s principles, approach and expected actions at a high level when a threat to resilience is identified. It will likely require conversations with the general manager and other key stakeholders to formulate, but documenting how cyber threats are to be triaged and remediated can go a long way to building preparedness in the event that a risk does materialise into something more.

3. Take an Essential Eight assessment

The Australian Cyber Security Centre’s (ACSC) Essential Eight is relied on by everyone from government agencies to businesses to understand their technology environment and the effectiveness of security controls around it. Assessment against it is a good benchmark for a council’s cyber resilience; the result of an assessment is the identification of any gaps along with a minimum set of preventative measures that can then be taken.

This kind of exercise — either performed in-house or by an expert security consultant — can be particularly helpful in understanding precisely where local governments should be prioritising their efforts and investments.

4. Simulate an attack and recovery

A key aspect of cyber resilience is having business continuity and disaster recovery (BC/DR) strategies and systems in place and on demand, in case they are required. However, BC/DR mechanisms are infrequently tested, or the testing may not be as rigorous or realistic as might be encountered in an actual attack or incident.

Rather than treating BC/DR testing as a checkbox exercise, a more effective test strategy is to simulate an actual data breach or incident that is modelled off a recent attack that’s been observed elsewhere in Australia or the world. Going through this process ensures that system behaviours are understood, and any unexpected behaviours can be ironed out before they contribute to a cyber resiliency incident.

5. Consider a CISO-as-a-service model

In our estimation, less than one in 10 councils is large enough to have its own dedicated CISO. But, if the goal is to build cyber resilience, access to the knowledge of an experienced cyber professional is critical. A CISO is also the first port of call when things go wrong, providing the council with clear direction on what to do next. For councils that do not have the budget for their own dedicated CISO, a managed service that offers CISO-like support is a great alternative to build internal capability and resilience.

*Dan Wright is General Manager, Cloud & Connect for Atturra’s Managed Services and has more than 30 years of IT industry experience working across a wide range of industries to develop innovative technology solutions.

Top image credit: iStock.com/alexsl