Peter A Clarke

The Fairfax press in Personal information held by NSW government exposed to cyber crime risk reports that 2/3rds of NSW Government agencies do not comply with their obligations to secure data.

The 82 page report provides insight but the chronic and deep seated flaws in data handling and cyber security practices are all too common.  A lack of training and what limited access to data should mean,  a lack of in depth protections which detect breaches from both outside and within, inadequate legislation with ineffective enforcement and inadequate training which leads to a poor privacy culture are the foundations upon which these problems develop.

It is curious that the report was released on 20 December and only reported on 28 December 2017.  Given the issue is so serious it is almost certain to disappear into the ether over the Christmas break.  Maybe it wasn’t so curious after all.

The New South Wales Audit Office released a press release on 20 December 2017 providing:

Agencies need to do more to address risks posed by information technology (IT), NSW Auditor-General Margaret Crawford has found.

‘IT control deficiencies were the most common source of internal control issues in our 2016-17 audits of NSW agencies’, Ms Crawford said.

The extent of the cyber security threat is unknown because agencies define a ‘cyber attack’ differently. This matter will be examined in more detail in a performance audit report on cyber security scheduled for release in early 2018. Further, most agencies do not sufficiently monitor or restrict privileged access to their systems and some do not enforce password controls.

‘Shared services arrangements can reduce back-office costs. However, performance management of shared service providers could be improved’, Ms Crawford said.

These are some of the findings to emerge from the first stand-alone report on internal controls and governance released by the Auditor-General today.

‘The report is based on our work with 39 of the State’s largest agencies. While this does not cover every agency in New South Wales, it draws from a large enough number to identify common issues and insights’, Ms Crawford said.

The new report will help the parliament to understand critical issues across the public sector, and help agencies to compare their own performance against that of their peers. It evaluates how agencies identify, mitigate and manage risks related to:

• financial controls
• information technology
• asset management and the delivery of significant capital projects
• continuous disclosure and shared service arrangements
• ethics, conflicts of interest, and gifts and benefits
• risk management.

Overall, the report makes 17 recommendations that will help agencies improve internal controls and governance, and in turn deliver their services more effectively. It also reviews how agencies have progressed against recommendations made in the previous year.

The article provides:

Two-thirds of NSW government agencies are failing to properly safeguard their data, increasing the risk of improper access to confidential information about members of the public and identity fraud by cyber criminals.

The finding has emerged from an audit of dozens of government agencies, including those holding highly sensitive personal information collected from millions of citizens, such as NSW Health, the department of education, NSW Police Force, Roads and Maritime Services and the justice department.

While the report by auditor-general Margaret Crawford does not name the agencies failing to properly manage privileged access to their systems, it highlights the potential consequences.

“Personal information collected by public sector agencies about members of the public is of high value to cyber criminals, as it can be used to create false identities to commit other crimes,” she says in the report.

“Despite these risks, we found that one agency had 37 privileged user accounts, including 33 that were dormant. The agency had no formal process to create, modify or deactivate privileged users.”

Overall, Ms Crawford’s report found 68 per cent of NSW government agencies “do not adequately manage privileged access to their systems”.

In addition, she said, the audit determined that 61 per cent of agencies “do not regularly monitor the account activity of privileged users”.

“This places those agencies at greater risk of not detecting compromised systems, data breaches and misuse,” the report said.

The audit found 31 per cent of agencies “do not limit or restrict privileged access to appropriate personnel”. Of those, just one-third monitor the account activity of privileged users.

It found that almost one-third of agencies breach their own security policies on user access.

The report warns that if agencies fail to implement proper controls “they may also breach NSW laws and policies and the international standards that they reference”.

These include the Public Finance and Audit Act, which says agencies must have effective internal control systems.

Ms Crawford’s report also finds there are different approaches to how agencies record and report cyber attacks, including applying different definitions, which means “the number and nature of cyber attacks is unknown”.

It says that NSW government agencies “should tighten privileged-user access to protect their information systems and reduce the risks of data misuse and fraud”.

A spokesman for finance, services and property minister Victor Dominello said the government “acknowledges the findings”.

“As recommended in the report, a review of the Digital Information Security Policy is currently under way and a new Cyber Security Strategy is due to be completed in 2018,” he said.

The spokesman said the review is being led by the government’s chief information security officer, Dr Maria Milosavljevic, whose position was established in May “to bolster the government’s capacity to prevent, detect and respond to cyber threats”.

The findings follow a report in February to the NSW Parliament by then acting NSW Privacy Commissioner Elizabeth Coombs.

In it, Dr Coombs noted: “Misuses of personal information and data breaches are not random events; they result from poor organisational governance and practice, and the conduct of employees and contractors.”

Dr Coombs said that “data breach notifications and complaints to my Office are increasing”.

She noted that, last year, the Queensland Crime and Corruption Commission “revealed that the misuse of confidential government information was not just one of the most common corruption allegations made, but [was] an increasing percentage, having almost doubled from 2014-15”.

“Members of the public have every right to expect that their personal information is not being placed at risk by poor organisational practices, nor accessed by or disclosed to anyone who does not have legitimate authority to use it,” she said.

Her report highlighted gaps in NSW privacy legislation and recommended changes “to increase the accountability of employees and contractors”.