ACT public servants lack understanding of how to protect Canberrans’ personal information and are using “high-risk” services to store it, a watchdog says.
The territory’s auditor-general, Michael Harris, released a strongly critical review of data-security practices yesterday.
- Two auditor-general reports in recent months have criticised the ACT Government’s cybersecurity practices
- The latest report says some public servants don’t realise the risks of sharing sensitive data via email and on USBs
- The Government has not documented the security classification of two-thirds of its IT systems
On the same day, Prime Minister Scott Morrison revealed Australia was the subject of ongoing and wide-ranging cyber attacks targeting government agencies. China was reportedly coordinating the attacks.
Mr Harris catalogued significant failures in the way ACT agencies managed private data, including staff in some directorates being unaware of the risks of sending sensitive information by email or storing it on USB drives.
His audit also found agencies relied on unauthorised cloud services to store and convert images and documents.
The security measures used by these services were often unknown, and some of the data stored was at “high risk” of exposure and theft.
The report said 89 per cent of the Government’s “critical” IT systems lacked a security-risk-management plan. There were “significant delays” in completing these plans — eight months on average.
Agencies had also failed to document the security classification of about two-thirds of the Government’s IT systems.
It was the second auditor-general’s report in two months that criticised flawed cybersecurity practices in the ACT Government.
In April, Mr Harris highlighted agencies’ weak controls over access to IT systems.
‘No known successful cyber attacks’ on ACT Government
Chief Minister Andrew Barr acknowledged ACT agencies were subjected to cyber attacks “all the time” and said fixing the problems was crucial.
“The advice I’ve had … is that there have been no known successful attacks on ACT government systems,” he said of the latest wave of cyber warfare.
“But clearly there is a risk for all.”
Mr Barr said Canberra might be a priority target of a large attack because of the high-value institutions in the city, such as government agencies and defence-related businesses.
“The auditor has highlighted areas for improvement,” Mr Barr said.
Opposition Leader Alistair Coe said the Government had failed to do this.
“As more of our information is shifting online, it’s absolutely vital that we have a proper digital plan for the protection of the ACT’s assets but also [of] the privacy of Canberrans,” Mr Coe said.
“It has to be a priority for the ACT Government and today’s report suggests that it’s not currently under ACT Labor.”
The Government said it would implement Mr Harris’s nine recommendations.