Responding to and recovering from cyber attacks

Cyber incidents are unwanted or unexpected events that could compromise computer and information systems and business operations. They can cause significant disruption and are happening more often, according to the Australian Cyber Security Centre (ACSC). Across Australia, nearly 94,000 cyber crime reports were made to the ACSC in 2022–23 – a 23 per cent increase in one year. Queensland accounted for 30 per cent of these reports, which is disproportionate to its population size, and one in 8 reports nationally related to state or local government entities. Cyber risks are continuing to evolve, and new technologies such as artificial intelligence increase the risk.

In this report we discuss how prepared Queensland public sector entities, including local governments, are to deal with cyber security incidents. We examined 2 lead agencies with responsibility for guiding cyber security, and we audited 3 other entities with varying levels of resources and capability. We have not named them, to avoid publicly identifying any security vulnerabilities.

The current picture

Since we produced Managing cyber security risks (Report 3: 2019–20), the Queensland public sector has invested in building its cyber resilience. The Cyber Security Unit (CSU – Department of Transport and Main Roads) has worked with entities to improve their information security management systems (their policies and procedures for managing sensitive data). The government has made additional investments to provide support, share cyber intelligence, and assist government owned corporations and local governments.

Despite this, public sector entities are not as prepared as they have to be. Just having plans is not enough. They need to test their plans and readiness. They need to identify and address any skills gaps they have for dealing with cyber incidents. Also, some entities do not yet know about the services CSU provides, and CSU does not know which entities most need its help and expertise.

What entities need to do

The entities we audited had plans for managing cyber incidents, but all had room to improve. Their plans were not always well integrated with their risk management strategies, did not incorporate cyber insurance requirements, and were not designed to respond to a wide range of threats. One entity had struggled to integrate its plans due to consistent machinery of government changes (restructures of government functions). Some entities also needed to be clearer on roles and responsibilities and on how to escalate their responses to cyber incidents. Only one entity had tested its incident response plan, and all entities needed to do more to ensure they can effectively communicate in a cyber crisis. Some entities did not have an up-to-date and complete understanding of their critical systems and information assets – an essential starting point for cyber security.

Entities relied heavily on third parties or other government entities when dealing with responses to cyber incidents, and were not always clear on accountability requirements. None had tested how these third parties would perform in a crisis. This means they could not be confident the third parties would be available or have the expertise to deal with a real incident in an effective and timely manner.

What expert and lead agencies need to do

CSU needs to continue working with entities to improve their information security management systems. It also needs to help entities to assess their individual needs, which would assist it in deciding where to focus its support and training. CSU should also start helping entities test their incident response processes. Again, this will benefit CSU, because it will familiarise its external experts with public sector requirements.

The Department of Housing, Local Government, Planning and Public Works needs to ensure councils are aware of the cyber-related skills available through CSU and encourage them to use them.

The public sector entities we audited were not as prepared as they need to be. All had response and recovery plans in place, but they were not as effective or complete as they need to be to deal with the complications and risks associated with cyber attacks.

Entities’ capability and confidence in managing cyber incidents varied. We found that those who continually plan, rehearse, and test their people, processes, and technology were more likely to respond and recover effectively.

All of those we audited were reliant on parties outside of their entities for technical expertise and action on cyber incidents. None of them had tested these arrangements to ensure they would work, or to confirm that the third-party experts would provide timely responses in a cyber crisis.

Public sector entities cannot delegate responsibility for managing their cyber risks to an external organisation. Those charged with governance (such as executive management, boards, and councillors) must be satisfied that their entity has plans in place that are fit for purpose and have been thoroughly tested. Only one of the 3 entities we examined in detail had tested its plans. When we ran cyber security simulation exercises, it performed the best.

Entities also do not currently have all the capabilities they need to manage cyber incidents. This relates to technical cyber skills and capabilities, as well as supporting tools. They can access frameworks to guide them in understanding and developing capabilities, and the Cyber Security Unit (CSU – located within the Department of Transport and Main Roads) can help in selecting the appropriate framework and in assessing and developing capabilities.

The expertise of CSU is of great potential value to public sector entities, but not all the entities were aware of the breadth of services it offers, including its ‘communities of practice’, which share intelligence and learnings about cyber threats. CSU needs to address this by publishing a strategic plan and by increasing awareness of its services.

CSU has recently provided services to local governments. These entities – particularly the regional, rural, and remote councils – could benefit from accessing these to help protect themselves against cyber threats. This would help them be more aware of the risks they are facing and of the training, guidance, and resources they can access to help them deal with cyber threats.

The Queensland Government has increased its investment in cyber security, and much is now available to help entities protect themselves. Based on this audit, the lead and expert agencies, and the entities, now need to make a concerted effort to assess the threats; prepare their defences; and take full advantage of the expertise, resources, and intelligence at their disposal.

We gave specific recommendations to each of the 3 entities we examined in detail. All public sector entities – big or small – are a target for cyber criminals because of what they do and the information they hold. Cyber attacks are continuing to increase, and all entities need to ensure they are prepared to identify and respond to an incident. Accordingly, we provide the following recommendations, drawn from the learnings of this audit, for the benefit of all public sector entities.

We have also created a checklist of key questions (Appendix E) for those charged with the governance of public sector entities to consider when planning how they respond to and recover from cyber security incidents.

We recognise that implementing effective controls for cyber incident response should be performed on a cost-benefit and risk basis. Entities should decide, based on their individual organisational needs, the extent to which they can and should act on each of the following recommendations.

Reference to comments

In accordance with s. 64 of the Auditor-General Act 2009, we provided a copy of this report to relevant entities. In reaching our conclusions, we considered their views and represented them to the extent we deemed relevant and warranted. Any formal responses from the entities are at Appendix A.

Technical language

Cyber security is a complex field, and the language about it reflects this. It is necessary to use some of this language to be precise, but we have explained and simplified it in this report and provided definitions when necessary. We have provided extra details on many of the terms in the glossary (Appendix G).

A cyber incident is an unwanted or unexpected event that is likely to compromise computer and information systems and business operations.

The economic and social impacts of cyber incidents can be significant and long lasting, so entities must be proactive in managing their cyber security risks. The Australian Cyber Security Centre (ACSC – part of the Australian Signals Directorate) states that the most effective way to defend against cyber incidents is to implement appropriate preventative strategies. We covered some of these strategies in Managing cyber security risks (Report 3: 2019–20). If entities adopt them, they can reduce, and in some cases, prevent cyber threats.

The changing nature of technology means that cyber security threats evolve rapidly. This is compounded by the development of new technologies such as artificial intelligence and machine learning. For a measure of how damaging cyber security incidents can be, we only have to look at recent events at organisations such as Medibank and Optus.

Even the best prepared organisations can be susceptible, so all entities need to have effective plans in place to minimise potential damage. They need to be informed about the risks, and ready and able to manage them. 

Figure 3A shows the cyber security life cycle focus of our 2 reports. In Managing cyber security risks (Report 3: 2019–20), we mainly concentrated on prevention and preparedness (shown on the left-hand side of Figure 3A). This report examines response and recovery (right-hand side).

Cyber incidents in Queensland and Australia

The ACSC reported that in 2022–23, cyber incidents, including those impacting government entities, have increased in frequency and severity.

Roles, responsibilities, and requirements for responding to and recovering from cyber incidents

Figure 3C shows how roles, accountabilities, and responsibilities for cyber response and recovery activities within Queensland state and local governments are split between expert government agencies and individual entities.

Better practice frameworks and Queensland guidance

Appendix C lists different international, national, and state frameworks, policies, and guidance, which we refer to collectively as ‘better practice frameworks’.

Entities can access a variety of national and international frameworks to help them in managing cyber risks. Figure 3D shows the overall Queensland Government approach, which includes the overarching Queensland Government Enterprise Architecture (QGEA), the Queensland Government Information Security Policy (IS18:2018), and related standards and frameworks.

All public sector entities are responsible for managing their cyber security risks and being prepared to respond and recover when cyber events occur. However, policy requirements differ between different types of public sector entities, as outlined in Figure 3E.

Other legislative requirements

Public sector entities may have additional legislative obligations relating to cyber incidents. These obligations are dependent on the nature of their business and operations. For example, many public sector entities will hold personal information and may have reporting obligations under relevant privacy legislation, while those entities who own or operate critical infrastructure (services that are essential for everyday life, such as energy, communications, water, transport, and health) will have additional obligations under the Security of Critical Infrastructure Act 2018 (Commonwealth). We provide further detail on these obligations in Appendix D.

What we audited

In this audit, we assessed the role of lead agencies, and the preparedness of 3 public sector entities to respond to and recover from cyber security incidents. The entities have different levels of resourcing and capability for managing cyber security risks. We do not want to compromise the security of these entities by publicly identifying their security vulnerabilities, so we have not named them in this report.

Appendix B provides greater detail on our audit scope and methodology.

We use the term ‘entities’ in this report to refer broadly to all Queensland public sector entities (departments, statutory bodies, and government owned corporations) and local governments.

In this chapter, we report on how prepared the 3 entities we audited were in relation to responding to and recovering from cyber incidents. They may not be representative of all public sector entities in Queensland, and results cannot be extrapolated. However, all public sector entities should consider our findings and recommendations to determine if they are relevant to their own organisations and risks.

We identified a range of gaps and improvement opportunities in the audited entities’ approaches to cyber response and recovery. Figure 4A summarises the gaps across the areas we audited, which were:

• risk assessment
• incident response plans
• capability and sharing cyber threat intelligence (and lessons learnt).

Understanding cyber risks in system and information assets

Public sector entities must understand the systems they have and the information assets contained within them. This is essential if they are to effectively identify all potential risks that may be exploited by threat actors. They should periodically undertake cyber security risk assessments of key systems and those information assets that increase risk because of the desirability of the data they contain. These assessments should consider all possible points of system access by threat actors.

Of the 3 public sector entities we audited, 2 did not have an up-to-date or complete listing of the systems and information assets they held, and their risk assessment activities were not up to date. These entities did not have the information they needed to identify key risks and assess the potential business impacts on their operations.

Managing cyber risks from third-party systems

Not all entities manage their risks themselves. Some have contracts with other organisations to provide access to the necessary expertise and resources, including systems. In this report, we refer to these as ‘third parties’.

Not all the entities we examined had considered risks for critical systems and information assets managed by third parties. This means they were unaware of potential risks, and were therefore not actively managing these risks.

It is important for all public sector entities to consider cyber security risks relating to third-party arrangements. They should ideally do this prior to setting up or extending contracts. In this way, they can ensure appropriate arrangements (such as the provision of assurance certificates, which outline effectiveness of system controls and processes) are in place through contractual obligations.

We plan to conduct an audit on managing third-party cyber security risks in 2025–26.

Impact of machinery of government changes on cyber risks

Machinery of government changes (restructures of government functions) can cause disruption to public sector entities.

One of the entities we audited had been through various machinery of government changes over the last 5 years. As a result, it was using and relying on several systems managed by other government entities. This adds to the complexity of managing and responding to risks of a cyber incident. The entity did not have a well-integrated incident response plan and recovery plans to guide it in the event of a cyber incident.

It is important for any entity impacted by a machinery of government change to identify and understand its new critical systems in a timely manner, so it can manage its risks. Entities also need to clarify the roles and responsibilities for managing cyber incident responses across the new structure.

We have previously produced a guide – Checklist for managing machinery of government (MoG) changes – to assist entities to identify, manage, and monitor the associated operational and strategic risks.

Improving incident response plans

An incident response plan (IRP) is critical to incident response and recovery. It supports a swift and effective response to cyber incidents, in line with an entity’s security and risk management strategies and plans.

Alignment to better practice

All entities we examined had an IRP. Figure 4B provides a summary of the strengths and weaknesses we found when comparing these plans to better practice frameworks.

All public sector entities should continually improve their IRPs, particularly the playbooks they produce for managing different types of cyber risks.

Being fully compliant with better practice frameworks can require significant investment. Accordingly, entities have to decide and document the extent to which they are prepared and can afford to align to better practice frameworks, in line with their resources and risk appetites.

Entities told us that they would benefit from more guidance on how to effectively respond to common cyber risks and incident types. Common incident types include:

• ransomware (demanding payment to let entities into their own files)
• insider privilege abuse (by current or former employees with access to the system)
• social engineering (manipulating employees into giving up information)
• denial of service attacks (flooding a network to disrupt operations)
• malware (gaining access to a system via software)
• phishing (enticing users to share confidential information).

Appendix G provides more details on each of these incident types.

Understanding insurance arrangements

Having effective strategies and plans does not eliminate the risk of a cyber incident. Entities need to consider how they manage that residual risk. Many use cyber insurance arrangements to do this, as this can be an effective way to protect entities from financial impacts and losses. Those entities who do this need to fully understand their coverage and requirements and integrate them into their incident response planning.

Some of the entities we audited did not fully understand specific clauses and escalation points in their insurance arrangements. This could have meant that their insurance coverage was at risk in the event of a cyber incident.

Accountability for cyber risks

Some of the entities we audited had not clearly defined incident response roles, responsibilities, and accountabilities. One entity had assigned, through a memorandum of understanding, most information and communication technology (ICT) accountabilities to CITEC (a Queensland Government shared corporate service provider for ICT), including most cyber security monitoring and response.

Ultimately, the responsibility for cyber risks (as with all risks) rests solely with the accountable officer and they cannot assign it to external entities, including other government bodies. The accountable officer must be satisfied that third-party arrangements adequately reduce risks to an acceptable level. We discuss testing of third-party arrangements later in this chapter.

Testing cyber incident response strategies and plans

As entities are ultimately responsible for their own systems and information assets, they should regularly test their IRP and business continuity plans (plans which entities use to ensure they can continue to operate in the face of major business disruptions) to make sure they can adapt to the ever-evolving threat of cyber attacks. Those entities who regularly test their processes, people, and technology for a variety of cyber security incidents should have an increased chance of success.

Only one of the 3 entities we audited had previously tested its IRP through an entity-level cyber security simulation (one it conducted itself, of its own processes) to ensure that it was fit for purpose. This entity performed the best in our simulations.

Testing third-party arrangements through simulations

All 3 entities were reliant on third-party capabilities as a part of their incident response plans, but none had ever tested these arrangements.

It is important to use simulations to test any third-party arrangements. They give entities insights into whether they will deliver the services and expertise needed in the event of an actual incident. Public sector entities should not be testing these arrangements for the first time during an incident.

For third parties to be effective and respond promptly to incidents, they need to become familiar with public sector systems and environments. The greater the reliance entities place on these arrangements, the more time and effort they need to invest in familiarising the third parties.

The following case study shows the importance of a quick response in the event of a cyber incident.

Whole-of-government cyber security simulations

The CSU has conducted annual whole-of-government incident response simulations for the past 3 years. These simulations have had good participation rates from Queensland Government departments.

The main objective of these simulations has been to test the Queensland Government Cyber Security Operations Plan. The plan aims to detail the whole-of-government coordination and communication response to cyber incidents.

These simulations are important and should continue to be held at regular intervals. They test different events and scenarios to continue building resilience at a whole-of-government level. However, the simulations have not been designed to assess the preparedness of individual entities to respond to or recover from a cyber security incident.

During our audit, one entity was under the misconception that its participation in CSU’s whole-of-government simulations was evidence that its incident response plans and approach were effective. CSU should take steps to fully educate entities participating in its whole-of-government simulations on the limitations of what these simulations mean for them. We discuss this further in Chapter 5.

Planning communication strategies and escalation points

In a time of crisis, trust erodes when the public, employees, and customers are not provided with timely, consistent, or informative communication. In accordance with better practice frameworks, we expected entities to have clear, consistent, and endorsed communication plans, protocols, and templates to guide their communication in the event of a crisis. Not all did.

For those that did have communication plans and templates, most of the documents were in draft and incomplete. The cyber crisis communication plans were commonly missing clear processes and thresholds for:

• contacting those charged with governance, relevant ministers, the Department of the Premier and Cabinet, and CSU
• contacting key stakeholders (such as employees, insurers, Office of the Information Commissioner, and the public)
• escalating communication to other agencies.

Entities showed a lack of consistent content and messaging in internal and external communications during the cyber security simulations. This inconsistency could result in a lack of trust if internal messaging is found to be inconsistent with external messaging.

Capabilities for incident response and recovery

Entities may require access to a broad range of skills, capabilities, and tools to effectively navigate a cyber incident. These span:

• technical areas such as digital forensics (the ability to assess the source and extent of a breach) and a security operations centre (which is the focal point for network security operations)
• non-technical areas (such as crisis management and communication)
• general ICT areas (such as system applications and networks).

We refer to these collectively as ‘capabilities’ within this report. These may be sourced through a combination of in-house and third-party resources.

While all 3 chief information officers (or equivalent) were aware of limitations in their own entities’ cyber technical skills, none of the entities had formally assessed their capability. They need to do so, in detail, to ensure they understand and can address any gaps.

Public sector entities can consider several models in formalising a skills and capability assessment. In Appendix F, we provide an example framework that details the key technical and non-technical capabilities required for cyber incident response and recovery. It can be used by entities to assess their capabilities.

We discuss broader capability building across Queensland public sector entities further in Chapter 5. Appendix G – Glossary, provides more detailed explanation of the various capabilities needed to manage a cyber incident.

Capturing, recording, and sharing cyber threat intelligence

All audited entities demonstrated an understanding of the importance of sharing cyber threat intelligence (CTI). However, for each entity, weaknesses were identified in the processes put in place to capture and share learnings. Gaps were identified in relation to:

• processes on where and how to capture lessons learned, and how to conduct assessments of incidents
• the tracking and monitoring of actions and/or recommendations arising from lessons learned exercises
• identification of external stakeholders to share information with, and the correct medium for sharing.

This could lead to a missed opportunity for the sector to build cyber resilience.

In this chapter, we report on the effectiveness of lead and expert agency strategies for supporting state and local government entities in managing cyber incidents.

The role of the Queensland Government Cyber Security Unit

The Queensland Government Cyber Security Unit (CSU), within the Department of Transport and Main Roads, is the lead agency for Queensland cyber security operations and management.

CSU sets cyber security policy and guidance for Queensland Government departments and statutory bodies, providing:

• cyber security leadership
• governance, policy, and standards
• coordinated responses to cyber security incidents
• development of cyber security capability across government
• greater cyber security awareness.

CSU also provides assistance to local governments and government owned corporations.

Promotion and awareness of CSU’s products and services

CSU plays a critical role in supporting public sector entities across Queensland in the management of cyber security. In June 2023, the Queensland Government committed $73.5 million in additional funding to CSU over 4 years (from 2023–24 to 2026–27) and $17.8 million ongoing (from 2027–28). This was to expand and improve the services CSU provides.

CSU needs to do more to increase awareness of its services and increase its engagement with entities. Its services, such as access to specialist skillsets to assist entities during a cyber incident, can assist in the management of risks and in building capabilities within entities. However, it currently provides limited documentation outlining what products and services are available and the benefits of using them.

It has put initiatives in place, such as communities of practice, to help build awareness, but more is needed to capitalise on the investment the Queensland Government has made. Not all entities we audited had awareness of CSU’s products and services specific to managing and coordinating cyber security response and recovery.

Publishing a strategic plan

While CSU has a vision, it does not have a strategic plan. It also does not have supporting plans in place to implement its vision – which is important to address areas such as key person risk. We would expect to see a strategic plan that covers, at a minimum:

• the vision, purpose, mission statement, and role of CSU in managing cyber risks across the state
• strategic objectives that will drive the vision
• current challenges and services of CSU
• key threats in the current Queensland environment
• key performance indicators or performance targets to measure effectiveness.

CSU has drafted the Queensland Government Cyber Security Operations Plan, which has been circulated for consultation. The objective of the plan is to facilitate coordinated and cooperative escalation and response during a cyber incident.

It is designed to acquit CSU’s responsibilities for responding to a whole-of-government cyber incident under the disaster management arrangements. It does not cover CSU’s broader role, responsibilities, or services.

The New South Wales and Victorian governments’ equivalent cyber security units have published their strategies and plans across their jurisdictions.

Leading the public sector in increasing cyber resilience

Guidance materials to better support entities

CSU provides public sector entities with access to a variety of guidance and materials to support the management of cyber risk. In September 2018, it issued the Incident Management Guideline. The guideline provides information for Queensland Government departments on the recommended practices for establishing and implementing an information security incident management policy and a planned, systematic approach to handling an incident.

It appropriately references the relevant framework, ISO 27000 incident management standard (ISO 27035). It also provides entities with an example playbook (incident response procedures) on phishing (tricking entities and individuals into providing access to data and information, often through fraudulent emails or texts).

On its website, CSU also provides links to more guidance including:

• Australian Cyber Security Centre resources
• other ISO standards
• both the Australian and Queensland Information Commissioner websites, given their roles in information management
• various other legislation, policies, and guidance, and other resources.

CSU’s guideline could be enhanced by:

• including updates for the most recent release of the ISO 27035 (2023)
• developing and sharing practical examples for a range of common cyber scenarios.

All 3 of the entities we audited stated that they would appreciate more guidance from CSU on how to improve their incident response plans and promote a culture of continuous improvement, to help them stay across the rapidly changing cyber risks facing the public sector.

Helping public sector entities test their incident response plans

As detailed in Chapter 4, CSU conducts cyber simulations that test the response to cyber incidents at the whole-of-government level. While this is an important exercise, public sector entities must also regularly test their individual readiness to respond to a cyber incident. To date, CSU has not assisted entities in coordinating or running individual simulations.

The investment made in CSU to provide public sector entities with access to incident response capabilities has been an important step. This work is undertaken through CSU by a panel of third-party incident response providers. It is expected that many public sector entities will use CSU’s incident response capabilities, but these capabilities must be tested within entities’ environments.

For CSU to be fully effective and able to deliver timely incident response services, its external providers must understand the systems and environments they are working with. Being involved in cyber simulations at individual entities presents CSU with an opportunity to assist the entities with their own readiness, and to ensure that its incident response providers build the necessary understanding of public sector entities.  

Understanding the current state of public sector cyber capability

CSU is responsible for supporting the development of the Queensland Government’s cyber security workforce. As with many professions, experienced and qualified cyber security consultants are in high demand.

At present, CSU does not fully understand the level of capability within public sector entities. It has not assessed entity-level capabilities or (as previously discussed) provided support to public sector entities in assessing them. Doing so would enable it to better target its investment in building cyber resilience by directing resources and training to the most significant gaps.

Numerous frameworks are available to assist in identifying and developing cyber skills and capabilities. One such example is the Australian Signals Directorate (ASD) Cyber Skills Framework. The skills framework (Figure 5A) helps users map and develop skills using 9 cyber role definitions, 9 capability and skill definitions, 7 proficiency levels, 4 career pathways, and a learning and development pathway.

Providing cyber security and technology training

CSU provides training courses ranging from basic computer operations to full cyber security certificates. These courses are offered to public sector employees at cost, or subsidised depending on the course and the type of public sector entity. They are not targeted to specific roles or agencies.

Figure 5B shows an increase in training uptake since 2020, when the training opportunities were reduced during COVID-19. CSU has engaged external providers to offer a variety of courses in the last 5 years (January 2019 to December 2023). This has increased from 2 courses in 2019, to 22 courses in 2023, with a total of 867 participants completing courses over this period.

While the delivery of training has increased, CSU’s current training offerings may not be meeting the needs of the Queensland public sector. CSU performs limited analysis on training data. It is not aware of whether the courses are being undertaken by the public sector entities and employees who have capability gaps. It needs to examine its funded courses – by entities, attendees’ positions, and whether they completed all the content – to build this understanding.

CSU also needs to be more targeted in its training offerings. It could better align them to the needs of entities and their staffs’ development needs to ensure that significant capability gaps are addressed. CSU’s lack of understanding of current capability gaps across the sector has prevented it from doing this.

Improving information security management systems

Chief executives of departments and some statutory bodies (those who have been directed to comply with IS18:2018 and its annual return requirements, refer to Chapter 3) must attest to the appropriateness of their information security under IS18:2018 (the Queensland Government’s information security policy). This includes providing an information security annual return by 30 September each year. A third party must conduct periodic reviews of the annual returns to assess the entity’s information security management system (ISMS) to conclude:

• if it is fully operational
• if it aligns with ISO 27001
• its overall effectiveness.

Entities must publish the results in their annual report.

CSU consolidates returns and reports outcomes to chief executives. Since our last audit on cyber security in 2019–20, CSU has assisted in-scope entities to improve their ISMSs, increasing overall compliance with IS18:2018 (Figure 5C). In 2019–20, only 18 per cent of departments had appropriately designed and implemented an ISMS. By 2022–23, 86 per cent had one.

ISMS compliance reviews are only required for departments and some statutory bodies that fall under IS18:2018 requirements. Other public sector entities are not required to review their ISMS, but are encouraged to do so. This restricts CSU’s ability to monitor risks and capabilities at the entity level, outside of departments and those statutory bodies who comply. The policy states that all statutory bodies must have regard to IS18:2018. This means that they must consider and document whether the framework applies to their circumstances in setting their own internal controls and policies. It is unclear whether all statutory bodies have undertaken and documented this assessment. One of the entities we audited had considered this and adopted the principles of IS18:2018, but this was not documented or shared with CSU. For government owned corporations and local governments, there is no requirement to do this.

Also, current IS18:2018 requirements do not explicitly address incident management readiness, which can only be tested through cyber security simulations. Testing of incident management plans is critical to improving the effectiveness of cyber responses.

Increasing cyber threat intelligence and transferring knowledge

CSU runs communities of practice with technical and security leads from across the Queensland public sector. These forums are used to share cyber threat intelligence, provide updates, advocate for learning or training opportunities, and share ideas.

The following case study demonstrates the value of acting promptly on shared intelligence.

This case study shows the value in CSU promptly sharing cyber threat intelligence through alerts to entities. However, 2 of the 3 entities we audited were not aware of the community of practice forums. CSU needs to improve awareness of its activities.

All 3 entities had ideas for additional guidance and better practice frameworks for CSU to share through its communities of practice. A key example was generic playbooks for various cyber scenarios – for entities to customise to their needs and circumstances.

Increasing cyber resilience in the local government sector

Local governments deliver a range of critical services to the public, such as water and sewerage services. They must be as prepared as possible to manage a cyber incident. The following case study demonstrates the prolonged and costly consequences cyber incidents can have on local governments if they are not able to access the required cyber incident response skills in a timely manner. It includes 3 examples which impacted councils since 2020. These councils included regional councils, and those with both small and large populations.

Local governments do not have to comply with or have regard to Queensland Government policies and requirements, including IS18:2018. They can choose a cyber security incident response framework that best suits them.

There are no central strategies, policies, or procedures for managing and coordinating cyber response and recovery capabilities specific to local governments. However, CSU has been funded to provide them with essential cyber advice and services. Given the large variability in capabilities and resources available across the local government sector, this presents both a challenge and an opportunity.

One of the entities we examined in detail in this audit was a local government, which was not aware of the CSU’s support offerings prior to the audit but has since started engaging more frequently with it.

The role of the Department of Housing, Local Government, Planning and Public Works and the councils themselves

As the lead department for local governments, the Department of Housing, Local Government, Planning and Public Works (the department), has a role in providing advice to councils on managing risks – to ensure they comply with the requirements of the Local Government Act 2009 (or equivalent) and associated regulations. These include cyber security risks, but the department does not have the requisite skills to provide specialist advice to councils regarding cyber response and recovery. It can do more to raise awareness and connect the councils with CSU.

Local governments could also consider establishing agreements with neighbouring councils to increase their access to expertise in the event of a cyber-related crisis. This can be a cost-effective solution for smaller, regional, or remote councils that cannot afford to have in-house cyber security expertise or access it externally.