An audit has found dozens of NSW councils are still without basic cyber security controls.

The NSW Audit Office has uncovered poor management of cyber security at 58 of the state’s 128 local councils, 9 counties and 13 joint organisations.

“Fifty-eight councils have yet to implement basic governance and internal controls to manage cyber security,” its report said.

This includes “a cyber security framework, policy and procedure, register or cyber incidents, penetration testing and training”.

The audit report (available here in PDF form) also found that 64 councils “did not formalise and/or regularly review their key IT policies and procedures”.

Another 43 councils “did not perform a periodic user access review to ensure users’ access to key IT systems” were appropriate, while 68 councils “did not monitor privileged accounts’ activity logs”.

But things have improved since last year, when 80 per cent of councils were found to have no formal cyber security policy. However, many are clearly struggling to address IT security risks.

Cyber Security NSW is working with the Office of Local Government and the Department of Planning, Industry and Environment on an industry-specific cyber security policy.

Local Government NSW has criticised the NSW Government for not supporting cyber security in the local government sector.