328 security weaknesses found in Australian local government systems

A report has been submitted to Parliament underlining the weaknesses of the computer environments in local government entities

The computer systems used at 50 Australian local government (LG) entities have been found to contain 328 control weaknesses, and in one case a network password had not been changed since 2002.

The report, carried out by the auditor-general of Western Australia Caroline Spencer, has been submitted to Parliament and focused on the computing environments of 50 entities to determine if they effectively support the confidentiality, integrity and availability of the information they hold. 

The audit focused on 6 areas: information security, business continuity, management of IT risks, IT operations, change control, and physical security.

Spencer found that LG entities need to improve their general computer controls. 328 control weaknesses were reported to 50 entities, with 10% (33) rated as significant and 72% (236) as moderate. 

“As these weaknesses could significantly compromise the confidentiality, integrity and availability of information systems, the LG entities should act promptly to resolve them,” wrote Spencer.

For 11 entities, a “capability maturity assessment” was performed, which is the most comprehensive information systems audit the authority carries out. None of the 11 entities met the expectations across six control categories, with 79% of the audit results below the minimum benchmark.

Related Resource

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

2021 state of email security report: Ransomware on the rise - whitepaper from MimecastFree download

Spencer revealed that five of the entities were included in last year’s in-depth assessment and could have improved their capability by addressing the previous year’s audit findings but “did not discernibly do so”.

Given the nature of the findings, the entities have not been identified, although Spencer said this practice may change over time to provide an incentive to public entities to more promptly address identified control shortcomings.

At one entity, the use of privileged access rights to the network were not appropriately restricted and controlled. The entity had not changed the password for the default network admin account since 2002, even though a number of IT staff who knew the password had left.

At another, there were inadequate controls to check the integrity and authenticity of emails. Malicious users could impersonate genuine individuals to gain unauthorised access to systems and information, leaving the entity at increased risk of cyber-attacks. Plus, it emerged staff were using many different cloud storage services to share the entity’s business information, putting its sensitive information at risk.

The report provided six recommendations for each area it focused on and local entities are now expected to prepare an action plan within the next 3 months to address the matters raised in the report.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

NSW ditches e-voting system after glitch left citizens unable to vote
digital transformation

NSW ditches e-voting system after glitch left citizens unable to vote

18 Jan 2022
Tonga communications could be down for "weeks" following volcanic eruption
Network & Internet

Tonga communications could be down for "weeks" following volcanic eruption

17 Jan 2022
Singapore discourages cryptocurrency trading with new regulations
cryptocurrencies

Singapore discourages cryptocurrency trading with new regulations

17 Jan 2022
Yahoo Japan will pay for staff flights to the office under new remote working policy
flexible working

Yahoo Japan will pay for staff flights to the office under new remote working policy

14 Jan 2022

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
Hired by machines: Exploring recruitment's machine-driven future
recruitment

Hired by machines: Exploring recruitment's machine-driven future

8 Jan 2022