328 security weaknesses found in Australian local government systems

A report has been submitted to Parliament underlining the weaknesses of the computer environments in local government entities

The computer systems used at 50 Australian local government (LG) entities have been found to contain 328 control weaknesses, and in one case a network password had not been changed since 2002.

The report, carried out by the auditor-general of Western Australia Caroline Spencer, has been submitted to Parliament and focused on the computing environments of 50 entities to determine if they effectively support the confidentiality, integrity and availability of the information they hold. 

The audit focused on 6 areas: information security, business continuity, management of IT risks, IT operations, change control, and physical security.

Spencer found that LG entities need to improve their general computer controls. 328 control weaknesses were reported to 50 entities, with 10% (33) rated as significant and 72% (236) as moderate. 

“As these weaknesses could significantly compromise the confidentiality, integrity and availability of information systems, the LG entities should act promptly to resolve them,” wrote Spencer.

For 11 entities, a “capability maturity assessment” was performed, which is the most comprehensive information systems audit the authority carries out. None of the 11 entities met the expectations across six control categories, with 79% of the audit results below the minimum benchmark.

Related Resource

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

2021 state of email security report: Ransomware on the rise - whitepaper from MimecastDownload now

Spencer revealed that five of the entities were included in last year’s in-depth assessment and could have improved their capability by addressing the previous year’s audit findings but “did not discernibly do so”.

Given the nature of the findings, the entities have not been identified, although Spencer said this practice may change over time to provide an incentive to public entities to more promptly address identified control shortcomings.

At one entity, the use of privileged access rights to the network were not appropriately restricted and controlled. The entity had not changed the password for the default network admin account since 2002, even though a number of IT staff who knew the password had left.

At another, there were inadequate controls to check the integrity and authenticity of emails. Malicious users could impersonate genuine individuals to gain unauthorised access to systems and information, leaving the entity at increased risk of cyber-attacks. Plus, it emerged staff were using many different cloud storage services to share the entity’s business information, putting its sensitive information at risk.

The report provided six recommendations for each area it focused on and local entities are now expected to prepare an action plan within the next 3 months to address the matters raised in the report.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Wipro and Google Cloud launch cloud innovation space in India
Cloud

Wipro and Google Cloud launch cloud innovation space in India

20 Sep 2021
Victoria launches $50 million cyber strategy
Policy & legislation

Victoria launches $50 million cyber strategy

20 Sep 2021
AWS to launch cloud services reseller in Australia
Amazon Web Services (AWS)

AWS to launch cloud services reseller in Australia

17 Sep 2021
Cyber crime in Australia increased 13% in the last year
cyber crime

Cyber crime in Australia increased 13% in the last year

15 Sep 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021
Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition
mergers and acquisitions

Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition

14 Sep 2021