328 security weaknesses found in Australian local government systems

A report has been submitted to Parliament underlining the weaknesses of the computer environments in local government entities

The computer systems used at 50 Australian local government (LG) entities have been found to contain 328 control weaknesses, and in one case a network password had not been changed since 2002.

The report, carried out by the auditor-general of Western Australia Caroline Spencer, has been submitted to Parliament and focused on the computing environments of 50 entities to determine if they effectively support the confidentiality, integrity and availability of the information they hold. 

The audit focused on 6 areas: information security, business continuity, management of IT risks, IT operations, change control, and physical security.

Spencer found that LG entities need to improve their general computer controls. 328 control weaknesses were reported to 50 entities, with 10% (33) rated as significant and 72% (236) as moderate. 

“As these weaknesses could significantly compromise the confidentiality, integrity and availability of information systems, the LG entities should act promptly to resolve them,” wrote Spencer.

For 11 entities, a “capability maturity assessment” was performed, which is the most comprehensive information systems audit the authority carries out. None of the 11 entities met the expectations across six control categories, with 79% of the audit results below the minimum benchmark.

Related Resource

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

2021 state of email security report: Ransomware on the rise - whitepaper from MimecastFree download

Spencer revealed that five of the entities were included in last year’s in-depth assessment and could have improved their capability by addressing the previous year’s audit findings but “did not discernibly do so”.

Given the nature of the findings, the entities have not been identified, although Spencer said this practice may change over time to provide an incentive to public entities to more promptly address identified control shortcomings.

At one entity, the use of privileged access rights to the network were not appropriately restricted and controlled. The entity had not changed the password for the default network admin account since 2002, even though a number of IT staff who knew the password had left.

At another, there were inadequate controls to check the integrity and authenticity of emails. Malicious users could impersonate genuine individuals to gain unauthorised access to systems and information, leaving the entity at increased risk of cyber-attacks. Plus, it emerged staff were using many different cloud storage services to share the entity’s business information, putting its sensitive information at risk.

The report provided six recommendations for each area it focused on and local entities are now expected to prepare an action plan within the next 3 months to address the matters raised in the report.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Google Cloud to open new office in Pune, India
Cloud

Google Cloud to open new office in Pune, India

24 Jan 2022
China accused of hijacking Australian PM's WeChat account
social media

China accused of hijacking Australian PM's WeChat account

24 Jan 2022
Singapore and Madrid named biggest movers in latest data centre rankings
data centres

Singapore and Madrid named biggest movers in latest data centre rankings

20 Jan 2022
UK and Australia partner on cyber security investment
Policy & legislation

UK and Australia partner on cyber security investment

20 Jan 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022