Stay Ahead of Cyber Threats: Revised Cyber Security Guidelines for NSW Councils

By Simone Brew, Managing Director and Gigi Au, Senior Associate of Matthews Folbigg Lawyers

As facilitators of essential services and infrastructure to the local community, local councils are responsible for substantial amounts of information, including personal information about residents. It is therefore essential that adequate cyber security and data protection measures are taken to prevent breaches or leaks.

Tabled in March 2024, the New South Wales (NSW) Audit Office released the Local Government 2023 report which revealed that 50 councils had not implemented basic cyber security governance frameworks. This was highlighted as a significant risk and concern by the NSW Audit Office, especially considering state and local government was the second highest reporter of cyber incidents according to the Australian Cyber Security Centre’s 2023-24 Annual Cyber Threat Report.

The NSW Government’s Cyber Security Guidelines for Councils

In 2022, the NSW Government released voluntary cyber security guidelines to assist NSW councils develop their own internal cyber security framework. The guidelines were further updated in January 2025.

Firstly, the guidelines set out roles and responsibilities to ensure effective cyber security management. The key roles suggested in the guidelines included:

• General Manager
• Chief Information Security Officer/Chief Cyber Security Officers
• Chief Information Officer/Chief Operation Officer
• Information Security Manager/Cyber Security Manager
• Information Management Officer
• Internal Audit and Risk Teams
• Third Party IT Providers

Secondly, to assist councils with cyber security governance, the guidelines set out six foundational requirements. In summary:

1. Lead: Councils should implement cyber security planning and governance which includes allocating the roles and responsibilities suggested, developing a cyber plan, considering cyber threats, and conducting risk assessments.
2. Prepare: Councils should build a cyber security culture by conducting staff training, encouraging staff to report suspicious material, and ensuring access to information is only given to the relevant staff.
3. Prevent: Councils should manage risks by implementing security management systems, conducting audits and recording activity, and ensuring cyber security practices are built into any projects.
4. Detect, Respond and Recover: Councils should detect incidents quickly so they can adequately respond. To effectively manage this, it is suggested they develop a cyber incident response plan which is tested every year, IT systems are regularly monitored, and any incidents are reported to the Chief Information Security Officer.

Lastly, the guidelines refer to the Australian Cyber Security Centre’s essential ‘Eight’ which is eight mitigation strategies that aim to prevent systems getting compromised.

1. Application Control: This method involves checking what applications are used on a system and ensuring they are only ones from a pre-defined approved list. This ensures that applications which contain malware are not installed on council systems.
2. Patch Applications: Patching programs in a timely manner is essential to prevent potential avenues for exploitation. Programs which are out of date and do not regularly receive security fixes are much more vulnerable to attacks.
3. Configure Microsoft Office Macro Settings: A macro allows for the automation of repetitive tasks in Microsoft office applications. Whilst they can be useful, they can contain malware, so it is suggested the use of macros are limited and monitored.
4. User Application Hardening: Apply customised security settings on key programs, such as internet browsers, to make it more difficult for attackers to infiltrate. Default settings on most applications may not be secure.
5. Restrict Administrative Privileges: Limiting the number of users who have access to administrative and security privileges will help reduce the number of avenues an attacker can use to gain access to accounts with significant control over systems.
6. Patch Operating Systems: Similar to the strategy of patching applications, operating systems which are out of date or have not had regular security checks are more vulnerable to attacks. It is therefore essential to conduct regular patching.
7. Multi-factor Authentication: This method requires a user to verify themselves to gain access to a system. For example, after putting in the user password, they may be required to put in an authentication code as well.
8. Regular Backups: Backing up data and testing backups is important to ensure data can be restored in the event of a cyber security incident.

Receiving and storing personal information leads to obligations on councils to ensure they have strategies in place for adequate protection. The guidelines provided by the NSW Government act as a solid framework to assess and mitigate risks that arise.

Read the full guidelines for NSW councils here: https://www.olg.nsw.gov.au/wp-content/uploads/2022/12/2022-Cyber-Security-Guideline-Local-Government.pdf

Read the Australian Cyber Security Centre essential eight here: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model

 

Matthews Folbigg Lawyers has a specialist team dedicated to Cyber Security.

If you would like more information or advice in relation to cyber security, contact Simone Brew at simoneb@matthewsfolbigg.com.au or Gigi Au at gigia@matthewsfolbigg.com.au of Matthews Folbigg Cyber Security Group.