NSW Auditor-General Reveals Critical Cybersecurity Gaps in Local Councils
In an era where digital threats are escalating, the cybersecurity posture of local councils is crucial to safeguarding community services and infrastructure. A recent audit by the New South Wales Auditor-General has revealed significant cybersecurity vulnerabilities across NSW councils, underscoring the urgent need for comprehensive cybersecurity strategies.
Key Findings from the Audit
The audit assessed 128 councils, 13 joint organisations, and nine county councils, uncovering several critical concerns:
- Risk Assessment Deficiencies: Thirty-six councils had not evaluated their cyber risks. Among those that did, 37% identified risks that exceeded acceptable thresholds.
- Lack of Cybersecurity Policies: Thirty-seven councils operated without formal cybersecurity policies, with rural councils making up 49% of this group.
- Incomplete Asset Identification: An alarming 64% of councils had not fully identified all information assets requiring protection, leaving vital systems exposed.
- Incident Response Gaps: 33% of councils lacked a centralised register for cyber incidents, and 43% had no cyber incident response plans. Of those with plans, 44% lacked detailed incident management playbooks.
- Decline in Awareness Training: Only 69% of councils mandated cybersecurity awareness training for all employees in 2024, a decrease from 74% in 2023.
Case Studies Highlighting Vulnerabilities
The report detailed incidents demonstrating the tangible risks councils face:
- Carding Attack on Payment Systems: One council’s vendor-hosted payment system was exploited by cybercriminals to verify stolen credit card details, compromising financial security.
- Library System Breach: Another council experienced a breach of its third-party library system, potentially exposing customers’ personal information.
Contributing Factors to Cybersecurity Challenges
Several factors contribute to these vulnerabilities:
- Non-Mandatory Guidelines: The Office of Local Government’s Cyber Security Guidelines, updated in January 2025, remain recommendations rather than enforceable mandates, resulting in inconsistent adoption.
- Resource Constraints: Councils struggle to attract and retain skilled cybersecurity professionals, with twelve councils explicitly acknowledging insufficient funding for cybersecurity initiatives.
Recommendations for Strengthening Cybersecurity
To strengthen cybersecurity resilience, councils should consider the following measures:
- Integrate Cybersecurity into Governance: Embed cybersecurity risk assessments and monitoring within corporate governance structures.
- Conduct Self-Assessments: Regularly evaluate cybersecurity practices against established guidelines to identify and address vulnerabilities.
- Develop Comprehensive Improvement Plans: Formulate and implement risk-based strategies to systematically enhance cybersecurity measures.
- Establish and Test Incident Response Plans: Create detailed response plans with clear playbooks and conduct regular drills to ensure preparedness.
- Prioritise Employee Training: Mandate ongoing cybersecurity awareness training for staff to effectively recognise and mitigate cyber threats.
Conclusion
The findings from the NSW Auditor-General’s audit serve as a critical reminder of the cybersecurity vulnerabilities prevalent within local councils. Addressing these issues proactively is essential to safeguarding sensitive information, protecting community services, and maintaining public trust in our increasingly digital world.
How TRU Investigations Can Help
At TRU Investigations, we specialise in comprehensive cybersecurity assessments, incident response planning, employee training, and ongoing monitoring. Our expert team can assist councils and businesses to identify vulnerabilities, strengthen cybersecurity defences, and effectively respond to cyber threats.
Contact us today to ensure your organisation remains secure in the digital age.
Discover more from
Subscribe to get the latest posts sent to your email.