• United States



Samira Sarraf
Regional Editor for Australia and New Zealand

Queensland councils must strengthen information security controls

Jun 23, 20232 mins
GovernmentRisk Management

At least one Queensland council has suffered a cyberattack in 2023 and weakness in the information system controls continues to increase among councils.

In April, one regional council in central Queensland suffered a cyberattack and is yet to determine its impact. According to the Queensland Audit Office local government 2022 audit, councils are taking too long to resolve high-risk issues with 65% of unresolved significant deficiencies as at 30 June 2022 remain unresolved more than 12 months after being identified.

Significant deficiencies are those that have substantial financial or reputational risk for councils and need to be addressed immediately, explains the report. Almost two-thirds of councils still have significant deficiencies in their information systems, the concern is the increase in cyberattacks across the public sector.

The audit recommends the Department of State Development, Infrastructure, Local Government and Planning in collaboration with the Queensland Government's Customer and chief digital officer develop a strategy to increase awareness and improve capability in the sector on cyber-related matters. "It is critical that councils implement strong security controls to protect their data from cyber-attacks, undetected errors, and potential financial loss, including through fraud," the document states.

Queensland's Audit Office Forward work plan 2023-26 includes information on responding to and recovering from cyberattacks with insights and lessons learned on entities' preparedness.

Lack of password controls, security governance policies

The most common issues identified were inappropriate access levels being assigned to council staff, lack of good controls to implement and monitor strong passwords, and lack of good policies to govern the security of information systems. As per the audit, "implementing effective controls to mitigate the risk of cyberattacks should be performed on a cost-benefit basis," which could be one of the issues stopping councils taking appropriate measures.

According to the 2020 report Managing cyber security risks, the Audit Office recommends all Queensland's public sector entities assess if they have a framework for managing cybersecurity risks, know what information assets they have, and know to what extent those information assets are exposed to cybersecurity risks.

NSW councils are also facing serious issues when it comes to cybersecurity, with almost half of the state's councils not having a formal cybersecurity plan in place and not being required to follow guidance.