Toby Amodio, Cyber Security Practice Lead at Fujitsu 
The recently released NSW Local Government Audit paints a stark picture: cyber risk across the sector is not isolated, it’s systemic. And it is rising faster than many councils’ capacity to respond.
The report’s recommendations are sound, but they highlight an execution gap: the high-level advice is difficult to operationalise for councils already constrained by limited budgets and cyber capability
Three statistics from the audit capture the challenge:
-
73 per cent of councils have no formal policy to address supply chain cyber security risks.
-
72 per cent do not formally measure whether their cyber security spending is effective against current threats.
-
Only 21 per cent have processes in place to manage underutilised or outdated security tools.
These figures show a sector that is investing in security, but without the governance and feedback loops needed to turn that spending into measurable risk reduction. To shift the needle, councils need more than guidance. They need practical support that makes cyber uplift achievable and repeatable.
Councils face a war on two fronts
Local councils are a target-rich environment for attackers, a situation amplified by their constrained resources and the vital mix of digital Information and Communications Technology services and physical Operational Technology – like water and wastewater systems – they manage.
This has left them fighting a war on two fronts:
-
Profit-motivated cybercriminals: These groups are increasingly using automated ransomware and cyber enabled fraud to exploit weak controls and human error for financial gains.
-
Nation-state actors: These operators are targeting government infrastructure for long-term strategic access, often going undetected. This has been seen across Western nations, but most presciently operationally in Ukraine.
As attackers automate, councils must automate their defence – patching, reducing the attack entry points, and removing legacy exposure.
The common vulnerabilities driving these threats are:
-
Limited visibility: Councils often can't see their entire digital footprint due to the scale of their services, their geographic spread, and a lack of monitoring tools.
-
Expanding entry points for attacks: The continued use of legacy, end-of-life systems that are difficult to patch and secure.
-
Inconsistent security: Basic controls like patching aren't applied everywhere, often due to time constraints or the need to keep systems running, even if it means they are less secure.
-
Targeted social engineering: Exploiting gaps in workforce awareness to trick employees into granting access or initiating fraudulent transactions.
Building cyber resilience with a repeatable three-step playbook
Councils need a repeatable playbook that helps them improve cyber resilience over time.
A practical way is to structure their actions through three steps: protect, detect, and respond.
-
Protect – know your battlefield: You cannot protect what you do not understand. Councils need to map their full Information and Communications Technology and Operational Technology footprint to understand all systems and digitally connected assets. Only then can they embed consistent controls across these systems. In our work with customers, we regularly uncover systems and tools they didn't know they had, and we show them the exact vulnerabilities these forgotten assets create.
-
Detect – create an early warning system: An effective detection strategy requires two things: continuously monitoring all technology systems for unusual activity, and empowering staff with a simple process to report anything suspicious. During our own simulated attacks, we find that over 80 per cent of customers do not detect our actions, meaning a real threat actor could operate completely undetected.
-
Respond – prepare for crisis: It's critical to not only have an incident response plan but to regularly practice it. This ensures everyone knows their role and how to communicate, keeping essential services running during an attack. Each practice run, and every real incident, should be used to refine and improve the plan. Far too often, we get called in to help organisations that skipped this step, and we end up trying to draw up a fire escape plan while their Information and Communications Technology building is already in flames.
Don’t go it alone: Partnerships are a force multiplier
A fragmented, tool-driven approach rarely delivers resilience. The real force multiplier comes from leveraging partnerships, shared capabilities and a consistent approach to technology implementation. Since the challenges are not unique, councils should learn from each other while partnering with industry to fill critical capability gaps.
Lastly, moving the Information and Communications Technology footprint from the current fragmented, tool-driven approach will simplify control consistency.
From compliance to community resilience
The ultimate objective must be to move beyond compliance and towards genuine community resilience. The audit has highlighted the risks. The next step is to translate its recommendation into consistent practice across the sector.
Cyber resilience must be treated as core civic infrastructure, not just an IT function. This means placing the functions of protection, detection, and response at the very core of local government operations.
The goal is not only to prevent incidents, but to ensure essential community services can continue even when disrupted. That is what true resilience looks like, and it is what ultimately protects community trust.