The general population puts its faith in its government to manage its citizen records and keep it as safe as possible.
Sadly, the NSW Auditor General has recently found that this was not the case after auditing ten unnamed NSW government agencies and finding that their cyber security policy and defence systems were inadequate or inefficient.
Some of the cyber security problems identified in their audit report include:
- Many agencies used a SIEM (Security Information and Event Management software) that did not always cover every aspect of an agency’s IT system[1]. Further, two agencies that were audited didn’t even use any SIEM tools at all. This meant that the agency’s IT would only react to a breach if they were notified by the SIEM.
- Poor reporting and reaction times during critical incidents. It appears that IT service providers are not obliged to report any incidents to their agencies[2]. Any IT assistance that a government agency receives from a third-party may not be communicating properly with the agency.
One of the most damning examples used in the audit was an attempted hack into a government agency’s financial database, which took forty-nine days to detect and shut down![3] The hack compromised an agency email account, which was used to distribute phishing emails to the rest of the agency to obtain staff credentials. It appears that it was only after a month that the IT provider working with that government agency disclosed the breach to the government’s Chief Security Officer. It was only by the forty-ninth day that the IT provider realised that the original email account was still compromised and had not yet been shut down.
It is worrying to think that inter-agency communication about issues such as cyber security and breaches of security are inadequate. When dealing with cyber security issues, it is understandable that one would want to keep complicated and sensitive news about it private or reserve it only to those with technical understanding. However, when the security breach affects an entire agency, the need for discretion should go out the window at that point. Even the most technologically illiterate can assist inside an agency in protecting data; from reporting a suspicious email to being informed to not open compromised files.
Government agencies, in particular, should not be complacent with their IT systems. It is not enough to depend on anti-virus software, or trust in the capabilities of their outsourced (or internal) IT security provider. One of the eleven recommendations made by the Auditor General included complete coverage and protection of all internal systems, and not just some select ones. Likewise, using only a SIEM cannot be relied on to provide full coverage and protection.
A government agency should take the lead in ensuring it uses the best cyber security tools available to it. Interagency communication is always going to be important. There should always be a feedback loop between an agency and their IT provider that should not be taken for granted.
Public trust is incredibly important and the prevalence of fraudulent financial hacks is a huge danger. If public funds are to be misappropriated, the consequences can lead to severe social and political upheaval.
For assistance with improving and implementing effective cybersecurity within your organisation please do not hestiate to contact Agilient.
The Agilient Team
[1] https://www.itnews.com.au/news/nsw-govt-gets-an-f-for-cyber-security-486189?eid=1&edate=20180305&utm_source=20180305_AM&utm_medium=newsletter&utm_campaign=daily_newsletter
[2] https://www.peerlyst.com/posts/49-day-hack-shows-need-for-cyber-security-beef-up-andrew-commons
[3] https://www.abc.net.au/news/2018-03-02/cyber-security-in-nsw-public-sector-needs-improvement/9503250