Making data loss prevention a priority for local governments

From names and addresses to licence applications, rates histories, building approvals and more, local governments are responsible for a plethora of personally identifiable information.

As systems become ever more digital and connected, the risk of sensitive information leaking – by accident, neglect, or malicious intent – continues to grow.

This issue was highlighted in the Office of the Auditor General’s (OAG) Local Government – 2023–24 Information Systems Audit, which found that nearly 70% of reported issues relate to information and cyber security.

The report also identified concerns around:

• weak or missing access management and information security framework control.
• deficiencies in endpoint security, such as inadequate protection of devices against malware and unauthorised access
• inadequate network security controls, which increase the risk of unauthorised access or data breaches
• gaps in human resource security, such as insufficient staff training and weak onboarding/offboarding procedures

Although councils are investing in cyber security, gaps in policy and process mean those efforts don’t always translate into real protection. For example, the OAG report contains a case study involving a local government entity that had technical controls capable of blocking, monitoring, and alerting about data loss to cloud services and removable storage devices. However, these controls weren’t activated! There were no policies in place to assign accountability, or guide how the controls should be managed.

This leaves the council or shire at risk of data breaches, non-compliance, and damage to their public image – not to mention the risk to residents if lost data were to fall into the wrong hands.

Preventing data loss with the right tools

As difficult as it is, local governments are responsible for keeping pace with today’s digital risks and implementing the measures needed to respond.

These risks are everywhere, such as:

remote staff accessing data from home, public spaces, or overseas

• malicious entities, including well-funded foreign actors
• disgruntled employees, particularly during layoffs or restructures
• contractors or third parties with ungoverned access to systems
• departing staff quietly taking files or sensitive information
• dormant malware designed to collect data over time without detection
• uploads to AI platforms
• 3rd party file sharing tools such as Apple AirDrop, any personal cloud drives, and unrestricted USB devices which make it easy to move files in seconds.

The only way to properly protect sensitive data is to have constant eyes on it. This certainly isn’t possible to do manually, but it can be achieved quite effortlessly with data loss prevention tools.

These tools sit on top of your IT environment and monitor for unusual data activity by learning typical behaviour patterns and flagging anomalies. This could be anything from a late-night login followed by large downloads, to someone sending attachments to a personal email address.

Merely implementing this tool cannot be the end of the story though. As we saw in the OAG case study, without someone to oversee the tool it’s as good as not having it at all. The person you select needs to be fully accountable, and guided by a policy that clearly details:

• what happens when an alert is triggered
• how quickly a response is required
• how the alert should be escalated

This data loss prevention policy should form part of a broader data use policy that specifies employee obligations; rules around moving, copying, sharing, and deleting data; access permissions and approval processes; how sensitive information is classified; and any other relevant data protection rules.

Data loss prevention checklist

Do you have these essential data loss prevention (DLP) measures in place?

• A defined purpose and intent for data loss prevention, aligned with regulatory requirements and frameworks.
• Clear definitions for how the DLP tool is implemented and managed.
• Policies and procedures governing how the tool operates and what data it protects.
• Dedicated and funded resources to manage the DLP tool over time.
• A process to regularly review the purpose, coverage, and effectiveness of the tool.
• Targeted training for staff on data protection practices.

You can self-assess your current position against these points, and if there are gaps then you will need to create a plan.

How RSM can help

Effective data loss prevention is about having visibility of what’s happening to your data, knowing what’s worth protecting, and being able to act quickly when something doesn’t look right. This has become a growing focus for the OAG, with increased scrutiny aimed at strengthening how local governments protect against cybercrime.

RSM’s technology consulting team provides a full range of data loss prevention services for local governments, including:

• deployment and configuration
• implementing a monitoring and response process
• outsourced monitoring and management
• reviewing and developing policies, processes, and procedures around data loss prevention

You can also engage our cyber team to review how your data loss prevention policies and processes stack up against industry standards, compliance obligations, and OAG guidelines.

Done right, data loss prevention strategies help guard against the serious risks associated with lost or stolen data, and support local government compliance while reinforcing public trust.

To learn more about data loss prevention, contact the technology consulting division at your local RSM office.