Two-thirds of NSW government agencies are failing to properly safeguard their data, increasing the risk of improper access to confidential information about members of the public and identity fraud by cyber criminals.
The finding has emerged from an audit of dozens of government agencies, including those holding highly sensitive personal information collected from millions of citizens, such as NSW Health, the department of education, NSW Police Force, Roads and Maritime Services and the justice department.
While the report by auditor-general Margaret Crawford does not name the agencies failing to properly manage privileged access to their systems, it highlights the potential consequences.
“Personal information collected by public sector agencies about members of the public is of high value to cyber criminals, as it can be used to create false identities to commit other crimes,” she says in the report.
“Despite these risks, we found that one agency had 37 privileged user accounts, including 33 that were dormant. The agency had no formal process to create, modify or deactivate privileged users.”
Overall, Ms Crawford’s report found 68 per cent of NSW government agencies “do not adequately manage privileged access to their systems”.
In addition, she said, the audit determined that 61 per cent of agencies “do not regularly monitor the account activity of privileged users”.
“This places those agencies at greater risk of not detecting compromised systems, data breaches and misuse,” the report said.
The audit found 31 per cent of agencies “do not limit or restrict privileged access to appropriate personnel”. Of those, just one-third monitor the account activity of privileged users.
It found that almost one-third of agencies breach their own security policies on user access.
The report warns that if agencies fail to implement proper controls “they may also breach NSW laws and policies and the international standards that they reference”.
These include the Public Finance and Audit Act, which says agencies must have effective internal control systems.
Ms Crawford’s report also finds there are different approaches to how agencies record and report cyber attacks, including applying different definitions, which means “the number and nature of cyber attacks is unknown”.
It says that NSW government agencies “should tighten privileged-user access to protect their information systems and reduce the risks of data misuse and fraud”.
A spokesman for finance, services and property minister Victor Dominello said the government “acknowledges the findings”.
“As recommended in the report, a review of the Digital Information Security Policy is currently under way and a new Cyber Security Strategy is due to be completed in 2018,” he said.
The spokesman said the review is being led by the government’s chief information security officer, Dr Maria Milosavljevic, whose position was established in May “to bolster the government’s capacity to prevent, detect and respond to cyber threats”.
The findings follow a report in February to the NSW Parliament by then acting NSW Privacy Commissioner Elizabeth Coombs.
In it, Dr Coombs noted: “Misuses of personal information and data breaches are not random events; they result from poor organisational governance and practice, and the conduct of employees and contractors.”
Dr Coombs said that “data breach notifications and complaints to my Office are increasing”.
She noted that, last year, the Queensland Crime and Corruption Commission “revealed that the misuse of confidential government information was not just one of the most common corruption allegations made, but [was] an increasing percentage, having almost doubled from 2014-15”.
“Members of the public have every right to expect that their personal information is not being placed at risk by poor organisational practices, nor accessed by or disclosed to anyone who does not have legitimate authority to use it,” she said.
Her report highlighted gaps in NSW privacy legislation and recommended changes “to increase the accountability of employees and contractors”.
This story Administrator ready to work first appeared on Nanjing Night Net.