A concerning number of New South Wales councils remain vulnerable to cyber attacks despite improvements in some areas, according to the NSW Auditor-General's 2024 report on local government cyber security.

The audit, which examined 128 councils, 13 joint organisations and nine county councils, found significant shortcomings in cyber security planning, risk management, and incident response capabilities across the sector.

Among the key findings, 36 councils had not rated their cyber risks at all, while 37% of those that did evaluate their cyber risks found they exceeded their risk appetite. Additionally, 41% of councils lacked formal plans to improve their cyber security posture.

"There are significant shortcomings in council plans to improve their cyber security," the report stated, highlighting a concerning gap between risk identification and remediation efforts.

The Office of Local Government (OLG) issued Cyber Security Guidelines for Local Government in December 2022 and updated them in January 2025. However, these guidelines remain recommendations rather than mandatory requirements, allowing councils to adopt various frameworks with differing levels of protection.

While 100 councils have adopted the Australian Cyber Security Centre's Essential Eight framework, the report noted this alone "may protect key systems and data, but may not provide sufficient focus on other cyber security elements that are included in the Guidelines."

The audit revealed 37 councils still operate without a cyber security policy, with 49% of these being rural councils. Furthermore, 64% of councils had not identified all information assets requiring protection, potentially leaving critical systems vulnerable to attacks.

Incident response capabilities also showed concerning gaps, with 33% of councils lacking a centralised register of cyber incidents and 43% operating without a cyber incident response plan. Of those with response plans, 44% did not have supporting playbooks detailing step-by-step actions for handling incidents.

The report detailed two case studies where councils experienced cyber security incidents involving third-party systems in 2024. In one case, a council's vendor-hosted payment system fell victim to a "carding attack" where threat actors verified stolen credit card numbers through the system. Another council faced a situation where a third-party library system was compromised, potentially exposing customers' personal information.

Cyber security awareness training, a critical defense against social engineering attacks, appears to be declining. Only 69% of councils required all employees to complete cyber awareness training in 2024, down from 74% in 2023, though still significantly better than the 24% recorded in 2019.

The Australian Cyber Security Centre's Annual Cyber Threat Report 2023-2024 noted over 87,400 cybercrime reports nationwide, with 12% of incidents reported relating to state and local government, underscoring the sector's vulnerability.

Resource constraints remain a significant challenge, with councils struggling to attract and retain skilled personnel. Twelve councils acknowledged their cyber security spending was insufficient to adequately resource their improvement programs.

The Auditor-General's report suggests improvements in governance have occurred since 2019, but councils must address the identified gaps to protect essential services and infrastructure from increasingly sophisticated cyber threats.