In April, one regional council in central Queensland suffered a cyberattack and is yet to determine its impact. According to the Queensland Audit Office local government 2022 audit, councils are taking too long to resolve high-risk issues with 65% of unresolved significant deficiencies as at 30 June 2022 remain unresolved more than 12 months after being identified.\n\nSignificant deficiencies are those that have substantial financial or reputational risk for councils and need to be addressed immediately, explains the report. Almost two-thirds of councils still have significant deficiencies in their information systems, the concern is the increase in cyberattacks across the public sector.\n\nThe audit recommends the Department of State Development, Infrastructure, Local Government and Planning in collaboration with the Queensland Government\u2019s Customer and chief digital officer develop a strategy to increase awareness and improve capability in the sector on cyber-related matters. \u201cIt is critical that councils implement strong security controls to protect their data from cyber-attacks, undetected errors, and potential financial loss, including through fraud,\u201d the document states.\n\nQueensland\u2019s Audit Office Forward work plan 2023\u201326 includes information on responding to and recovering from cyberattacks with insights and lessons learned on entities\u2019 preparedness.\n\nLack of password controls, security governance policies\n\nThe most common issues identified were inappropriate access levels being assigned to council staff, lack of good controls to implement and monitor strong passwords, and lack of good policies to govern the security of information systems. As per the audit, \u201cimplementing effective controls to mitigate the risk of cyberattacks should be performed on a cost\u2013benefit basis,\u201d which could be one of the issues stopping councils taking appropriate measures.\n\nAccording to the 2020 report Managing cyber security risks, the Audit Office recommends all Queensland\u2019s public sector entities assess if they have a framework for managing cybersecurity risks, know what information assets they have, and know to what extent those information assets are exposed to cybersecurity risks.\n\nNSW councils are also facing serious issues when it comes to cybersecurity, with almost half of the state\u2019s councils not having a formal cybersecurity plan in place and not being required to follow guidance.