How one Victorian council is addressing the growing cyber threat

Like many local government organisations, Moorabool Shire Council is a significant target for cybercrime, particularly targeted phishing attacks.

The threat is very real for Moorabool, a fast growing, semi-rural municipality in southern Victoria which offers more than 50 ‘high transaction volume’ services to around 40,000 ratepayers. Its technology team, led by ICT manager Lalitha Koya, protects personal and financial information relating to adult residents and their children.

This includes credit card details, ratepayer information, and business and development proposals, which need to be protected. Without a layered cyber defence, councils like Moorabool can risk devastasting impacts on service delivery, loss of trust and big regulatory fines for failure to secure personal data of residents.

Koya says there is a commonality of growing threats to the council, mostly phishing attacks – followed by unsecured privileged accounts, inside threats, ransomware and malware with most of these threats originating in email.

Moorabool relies heavily on email for trusted communication and in the past few years, it has fallen victim to a ransonware incident involving email plus two other security incidents: one involved password credentials and the other was also a compromised email. While no credentials or information was lost, the most recent incident warranted a notifiable data breach.

Luckily, the council had a solid back up system with the right procedures and protocols and was able to recover from the latest incident within a day, Koya told CIO Australia.

“We knew whatever we did next, we needed to have measures in place to combat URL, spear-phishing, ransomware, attachment and impersonation attacks,” says Koya.

A cloud-first council

Moorabool has adopted a cloud-first software strategy and has been using parts of Office 365 – Outlook, Power BI, Teams and Skye for Business – since around 2014.

Over the past nine months, the council has been working to move its core ERP from Telstra data centres to Microsoft Azure. It is deploying the Datacom Datascope SaaS-based ERP product.

Securing data in the cloud can be a challenge as it inevitably can become an afterthought with some software-as-a-service (SaaS) providers, Koya says.

“When everything is on-premises, you think about the security aspects of applications, but people overlook these when moving into a cloud platform. If you are not thinking of security when moving to the cloud, you may end up offloading your issues to someone else,” he says.

Koya started reviewing the Moorabool’s security last year discovering that when using Microsoft 365, some of the security measures the council had in the past were less effective.

“We were really seeing a pattern, we saw more and more phishing and whaling attacks like impersonation being used so we had to focus and work out how we could mitigate our risk,” he says.

The council rolled out a Mimecast solution which has resulted in a big reduction in queries and reports from council workers – dropping from a few reports each month to almost zero.

User education is also a big part of the council’s data protection strategy with even the most tech-savvy staff members at risk of clicking on malicious links.

“People are usually busy and don’t take extra time to look closely and read emails. They look at a request and they just watch to jump in and respond; they don’t think twice,” Koya says.

The council has communicated the risks of these attacks to staff through its internal intranet and completed simulations of targeted phishing attacks to determine how many staff are still clicking on potentially malicious links in emails.

“I am currently working with our teams just to create some mandatory IT awareness or cyber awareness courses that we can push. It’s important now, if you are talking about Moorabool, we have 400 users made up of internal users and outdoor staff,” he says.

Up to 300 staff use its systems daily, including up to 150 people who work outdoors such as school crossing supervisors, parks and gardens workers, and nurses who provide social support to eldery people. Until recently, some of these staff didn’t have access to email, he says.

“They are not that literate in terms of understanding what to look out for in [malicious emails] so have a strong system is paramount because it takes time for some people to understand. The public sector is going through a huge digital transformation – it’s challenging to get the message about security out to staff.”

Koya adds that councils are often siloed, which can create vulnerabilities, which means that cyber security should not be an afterthought.

“We should constantly look at how we can improve it; there’s no silver bullet, you have to just keep working on the various elements,” he says.