WA native authorities entities have been placed on discover to enhance their cyber safety insurance policies and procedures after 9 councils didn’t detect a simulated cyber assault.
An audit, launched on Wednesday, discovered that solely three of the 15 audited entities have been able to detecting and blocking the simulated assaults in a “well timed method”.
“Solely three LG [local government] entities had their techniques configured to detect and block our simulated assaults in a well timed method,” the WA auditor stated [pdf].
“It was regarding that 9 LG entities didn’t detect nor reply to our simulations, and three LG entities took as much as 14 days to detect the simulations.”
The auditor stated that whereas the 12 entities had techniques to detect intrusions, “processes weren’t in place to analyse info generated by the techniques in a well timed method”.
“With out these processes, LG entities could not successfully reply to cyber intrusions in time to guard their techniques and knowledge,” it stated.
The audit additionally discovered solely three entities had “enough” cyber safety insurance policies, with the rest of entities both with outdated insurance policies (9 councils) or with out insurance policies fully (three councils).
Solely two had recognized all their cyber dangers, whereas 10 had thought of some however not all.
Vulnerability administration was additionally discovered to be a priority, with vulnerabilities of various sorts, severity and age discovered on publicly accessible IT infrastructure.
The 2 largest vulnerabilities recognized have been out-of-date software program (55 p.c) and weak, flawed or outdated encryption (34 p.c).
The audit added that “44 p.c of vulnerabilities have been of essential and excessive severity, with an extra 49 p.c of medium severity,” and that the majority vulnerabilities have been older than 12 months.
Whereas three entities have been discovered to have a course of to handle vulnerabilities, none of those have been “absolutely efficient”, the audit stated.
Solely 5 entities had just lately examined the effectiveness of their safety controls. Two entities had not performed checks since 2015 and one entity had by no means examined.
The audit additionally discovered that the entities are at “vital threat” from phishing assaults, with a phishing e mail containing a hyperlink to a web site asking for credentials used to check the entities.
Employees at greater than half of the entities accessed the hyperlink within the phishing train and, in some instances, supplied their username and password, regardless of most entities offering employees cyber safety consciousness coaching.
At one entity, 52 folks clicked the hyperlink and 46 supplied their credentials after one employees member forwarded the check e mail to a wider group of employees and exterior contacts.
The auditor has advisable that technical controls and targeted coaching be launched to assist forestall phishing sooner or later.
It has advisable that every one entities enhance their cyber safety insurance policies and processes, together with by adopting the Australian Cyber Safety Centre’s Important Eight controls.