Local councils are under pressure as they try to meet growing commitments while dealing with constrained budgets. The last thing they need is a security breach to upend both activities. But with growing cyber-threats, that’s exactly what could happen.
Like many regional councils, Port Macquarie-Hastings Council (‘Council’) in mid-north-coast New South Wales is responsible for securing critical infrastructure as well as residents’ private data. It must protect these assets with limited finances and skills.
Instead of deploying a technology fix to merely tick a compliance box, Council had the foresight to dig deeper and discover the core problems. As the largest Australian-owned technology services business, Telstra Purple was aptly placed to offer a Security Health Assessment to give a high-level view of the Council’s current security posture.
Shedding light on the problems
The Security Health Assessment highlighted that although Council had invested in security tools, there were significant gaps in security controls and the maturity of the underlying processes. Controls provide guidelines for using security tools and processes, and without them, even advanced security measures aren’t as effective as they should be.
The findings of the Security Health Assessment were compelling. They convinced the Council’s CEO and management to engage Telstra Purple for an in-depth analysis of the security environment.
One source of expertise for everything security
Port Macquarie-Hastings Council chose to engage Telstra Purple for their breadth of expertise. Specifically for security, Telstra Purple could offer the full spectrum of services—from discovering issues, articulating results, and creating frameworks to providing toolsets to rectify them—and deliver them locally.
That’s different from many security consultants. Some may do high-level assessments, others might address IT requirements, and others again may do the integrations. The upshot is separate people doing separate projects. With no single view of the environment, misinterpretation, lack of cohesion, or missed vulnerabilities may occur.
No stone left unturned
Telstra Purple performed a comprehensive Enterprise Risk and Controls Assessment aligned with international standards of practice.
The first step was to discover the Council’s electronic and physical assets. This phase assessed infrastructure, systems, applications, the information held, as well as the role of the Council’s service providers in protecting these assets. Following this, a business impact assessment was undertaken. Here, a value was ascribed to information, systems, and services to understand the fallout if they were disrupted or compromised.
The next step was a threat assessment. This asked what deliberate or accidental events could impact information, systems, or services. How could cyber-criminals hack into systems? What could fail? And how would a breach or outage reverberate across interlinked systems?
With threats identified, Telstra Purple could weigh the possible risks. These possible risks were mapped to 573 selected controls, and the effectiveness of those controls was measured. The controls’ effectiveness score could then be used to assess the actual risk ratings. These would determine the measures needed to uplift the security environment.
The success of the engagement relied a great deal on the openness of the Council. To their credit, Council staff members were motivated, forthcoming, and honest.
A roadmap for a secure future
The findings of the Enterprise Risk and Controls Assessment are still being distilled. Nevertheless, when immediate threats were flagged, Council acted quickly to rectify matters.
More than just a one-off exercise, the assessment provides a blueprint for ongoing security by addressing underlying problems, not just the symptoms. With the blueprint, Council can help ensure that security is integral to people, processes, assets, and technologies. And that systems and services are secure by design, secure by default, and secure in operation.
As a further advantage, Council now knows where to invest in security, and where to prioritise investment to mitigate the most serious risks. It can take intelligent action backed by data. And take action it will. The engagement showed that Port Macquarie-Hastings Council is not afraid to tackle the hard issues head-on, whether for security or any other aspect of operations.