WA local government entities have been put on notice to improve their cyber security policies and procedures after nine councils failed to detect a simulated cyber attack.
An audit, released on Wednesday, found that only three of the 15 audited entities were capable of detecting and blocking the simulated attacks in a “timely manner”.
“Only three LG [local government] entities had their systems configured to detect and block our simulated attacks in a timely manner,” the WA auditor said [pdf].
“It was concerning that nine LG entities did not detect nor respond to our simulations, and three LG entities took up to 14 days to detect the simulations.”
The auditor said that while the 12 entities had systems to detect intrusions, “processes were not in place to analyse information generated by the systems in a timely manner”.
“Without these processes, LG entities may not effectively respond to cyber intrusions in time to protect their systems and information,” it said.
The audit also found only three entities had “adequate” cyber security policies, with the remainder of entities either with outdated policies (nine councils) or without policies entirely (three councils).
Only two had identified all their cyber risks, while 10 had considered some but not all.
Vulnerability management was also found to be a concern, with vulnerabilities of different types, severity and age found on publicly accessible IT infrastructure.
The two biggest vulnerabilities identified were out-of-date software (55 percent) and weak, flawed or outdated encryption (34 percent).
The audit added that “44 percent of vulnerabilities were of critical and high severity, with a further 49 percent of medium severity,” and that most vulnerabilities were older than 12 months.
While three entities were found to have a process to manage vulnerabilities, none of these were “fully effective”, the audit said.
Only five entities had recently tested the effectiveness of their security controls. Two entities had not conducted tests since 2015 and one entity had never tested.
The audit also found that the entities are at “significant risk” from phishing attacks, with a phishing email containing a link to a website asking for credentials used to test the entities.
Staff at more than half of the entities accessed the link in the phishing exercise and, in some cases, provided their username and password, despite most entities providing staff cyber security awareness training.
At one entity, 52 people clicked the link and 46 provided their credentials after one staff member forwarded the test email to a wider group of staff and external contacts.
The auditor has recommended that technical controls and focused training be introduced to help prevent phishing in the future.
It has recommended that all entities improve their cyber security policies and processes, including by adopting the Australian Cyber Security Centre’s Essential Eight controls.