Council amalgamations raise cybersecurity risk


One of the most costly and complex aspects of council amalgamations in New South Wales is IT integration, and managing the new cybersecurity risks that can easily emerge in the process is a significant concern.

Big economies of scale was one of the government’s main selling points for mergers, but they won’t materialise anytime soon, and in the end, might never be as grand as promised. IT integration will be crucial to realising those potential savings, and it also has the potential to eat into them in the short-to-medium term.

Merging the operations of several different local governments must be done with great care to maintain information security, according to Nev Finch, senior IT leader at the new MidCoast Council.

“Getting technical infrastructure to work is all fine, but you’re bringing people of different backgrounds and different journeys and different systems together and the risk associated with that, from a cybersecurity point of view, is fairly high,” Finch told The Mandarin.

Three councils merged to form the new entity — Gloucester Shire, Greater Taree and Great Lakes, previously based in the town of Forster — and each was previously going its own way, running a different suite of services with a unique set of constraints.

“We’ve only created a [virtual private network] between the three sites and we’re only routing server networks,” said Finch, explaining his approach has been “very, very cautious” at MidCoast.

He is “reasonably confident” in the IT security strategies put in place in by Taree, but can’t be sure about the other smaller councils without running a full audit, which obviously adds to the time and money required. Gloucester was the smallest of the three and had only a single IT staff member, for example, so it can’t be assumed it had as many layers of security as its larger neighbours.

“But at the same time, business needs are driving us to move rapidly forward to a merged entity,” said Finch. “Balancing those up is going to be a challenge.”

After being recruited from the private sector, he says it is a whole different ball game working for such a spread-out organisation running a diverse range of enterprises and facilities; MidCoast now runs a combined portfolio of nursing homes, stockyards, art galleries and other facilities over a 10,000 square kilometre area.

“You don’t have the secure networks that you’re used to in private industry that you build around a couple of core business applications,” said Finch.

“You’ve got multitudes of applications and multitudes of locations.

“Then when you add in traditional local government people, who have worked in the industry for quite some time, and haven’t probably had the training and exposure to cybersecurity, it adds that extra layer of complexity in bringing those together.”

‘Be open to collaboration’

Dane Meah, the chief executive of cybersecurity firm Infotrust, told The Mandarin the amalgamations had undeniably created “real cybersecurity challenges” beyond those that would already be present. According to Finch, he’s not exaggerating.

Meah has 70 councils on his client list nationwide, including 56 in NSW, and says they’ll have their work cut out for them just managing the basic IT integration they need “to keep the lights on”, especially where compatibility problems arise. He advises “councils need to be open to collaboration and innovation” in cybersecurity.

“Citizens are demanding that governments deliver online services as securely as the private sector. That’s why collaboration has never been more important — between new and existing councils, state and federal governments and the private sector,” Meah said.

Earlier this year, insurance company Aon’s local government lead Paul Crapper expressed alarm that cybersecurity did not register among the top 10 business risks in his firm’s annual nationwide survey of councils. Interestingly, the general risk of “merger” came in ninth position.

Aon’s survey of the whole country doesn’t fit with Infotrust’s experience in NSW, according to Meah. He believes local governments in NSW are generally taking the threat seriously enough, but also claims it’s “not realistic” that they could keep up with the growing “frequency and sophistication” of attacks if they’re relying on in-house skills and knowledge alone.

Finch says cybersecurity has been “fairly front of mind” throughout the march towards amalgamation, but has come into sharper focus for IT managers after the event.

Another challenge for MidCoast, he says, is that its establishment became a real possibility quite late in the amalgamations piece, giving it less time to consider and prepare than some others.

Even so, Finch assures us the new council has “fairly large plans” in place to connect up all its components, involving substantial investments in core business systems and IT infrastructure.

The obvious high-value data is well protected but the amount of information that council systems contain is growing all the time as they increasingly move to online services like everyone else.

Finch is quite confident but he notes the risks are high. It’s the community’s data you’re protecting, and anything going wrong could make it harder for the newly merged entity to go forward.

“If something goes wrong, everyone’s going to know about it, and it undoes all the good work that you’re doing as local government.”

About the author
Premium

The essential resource for effective public sector leaders

Can you afford to miss the next briefing from Mandarin Premium? Sign up today.

Get Premium Today