Low cyber-security awareness is making local councils a target, says expert

Bunjil Place was tangled up in a cyber security incident last month, potentially exposing the names and email addresses of subscribers to its e-newsletter service. 238145_05

By Eleanor Wilson and Cam Lucadou-Wells

A leading cyber-security firm says local councils need greater data security training to keep user information safe, after the City of Casey’s Bunjil Place e-newsletter service fell victim to a cyber attack last month.

International cyber-security firm Varonis said attacks on public service organisations show how important it is for companies to have tight control over their data.

It comes after the service provider of City of Casey’s Bunjil Place e-newsletter, WordFly, endured a security incident on 16 July, potentially compromising the names and email addresses of thousands of users.

In a statement to email subscribers, the City of Casey clarified that the incident did not affect any other council e-newsletters, which are sent via different email providers.

“On Saturday 16 July, WordFly confirmed that names and email addresses of those subscribed to the Bunjil Place e-newsletter may have been impacted,” the council stated.

“There is currently no evidence that any of this data has been misused.”

The council added that users’ Bunjil Place accounts, which contain more sensitive information, are not stored in WordFly and were not affected by the incident.

“While we are awaiting further information from WordFly, please be extra vigilant of potential phishing or spam emails you might receive.”

City of Greater Dandenong IT executive manager Michelle Hansen said the council had an “ongoing education program” to improve staff awareness of cyber security issues and threats to reduce the risk.

“Council invests in network security monitoring tools and undertakes regular security audits to ensure the protection of its data which is also governed by security protocols.”

Scott Leach, vice president of Asia Pacific-Japan at Varonis said hackers, particularly those developed by foreign nation-states, are becoming more sophisticated.

“It is becoming more difficult for organisations to even detect breaches when they do happen,” he said.

“Many of the attacks that we are observing at Varonis contain “intelligent” malware that is capable of side-stepping even some of the most advanced defence tools in the market.”

Varonis research shows 53 per cent of companies have at least 1000 sensitive files open to all employees, meaning it takes just one employee’s account to be compromised for hoardes of sensitive information to be reached.

But there is a solution, according to Mr Leach.

“Councils and other public sector organisations, especially those with high numbers of contractors, should restrict access to their most sensitive files, ensuring only those who really need them have access,” he said.

“This process ensures that if a data breach ever does occur, the risk of attackers stealing these sensitive files and moving laterally throughout the network is significantly reduced.

“With little or no access to sensitive files, ransomware is significantly less effective, saving organisations thousands of dollars, if not millions in some cases, and also severe reputational damage.”

Jon Lang, chief executive officer of DDLS, Australia’s largest cybersecurity training provider, said 92 per cent of Australian organisations experienced a phishing attack in 2021.

Phishing describes a type of scam, in which the scammer disguises themselves as a trusted sender in order to obtain private information, such as login credentials or credit card information.

“While organisations might have security tools and technologies to detect and block ransomware, this is an increasingly-penetrable line of defence against highly-sophisticated hackers,” Mr Lang said.

“The first line of defence must be ensuring staff don’t fall for the deception – and the way to do this is by raising the level of cyber-security understanding throughout the general workforce.

“We desperately need to boost the level of cyber education in our local councils, and the wider public sector.”