The New South Wales Government’s cyber security strategy is under urgent review after Auditor’s Offices criticised the way its agencies are handling privileged access and other basic security practices.
At the end of last year (20th December 2017) the government of New South Wales received an unwelcome Christmas present from its own Auditor’s Office. This came in the shape of an 82-page report detailing “chronic and deep-seated flaws” in data handling and cyber security practices within its most prominent agencies.
This is more than a little embarrassing for a state that is—according to a press announcement released earlier in the year by Victor Dominello MP, the NSW Minister for Finance, Services and Property—“delivering record investment in digital transformation that has seen [it] continue to lead the nation in Digital Government Readiness.”
The Report on Internal Controls and Governance 2017 highlights a wide range of failings—from a lack of training and understanding around what limited access to data should mean to inadequate legislation with ineffective enforcement. However, the way in which NSW’s agencies are handling access privileges receives special attention.
“IT control deficiencies were the most common source of internal control issues in our 2016-17 audits of NSW agencies,” says NSW Auditor-General Margaret Crawford. “Despite the risks, we found that one agency had 37 privileged user accounts, including 33 that were dormant. The agency had no formal process to create, modify or deactivate privileged users.”
If that didn’t ring enough alarm bells, Crawford continues by pointing out that based on the Auditor’s work with 39 of the State’s largest agencies they found that over two-thirds (68%) of government agencies “do not adequately manage privileged access to their systems”.
Her report also uncovered that 61% of agencies “do not regularly monitor the account activity of privileged users”. This dramatically increases the risk of those agencies not “detecting compromised systems, data breaches and misuse”, and ultimately places public data at risk of compromise.
And it doesn’t stop there…
The report also found the following:
- 31% of agencies “do not limit or restrict privileged access to appropriate personnel”
- Of those, just a third monitor the account activity of privileged users
- Almost a third of agencies breach their own security policies on user access
Crawford warns that if agencies fail to implement proper controls “they may also breach NSW laws and policies”. These include the Public Finance and Audit Act, which states that agencies must have effective internal control systems in place.
There is no easy way to dress this up as anything other than a gross failure across the board. Failure at this level is inexcusable. A state that is “leading the way” in digital must also be leading the way in cyber security. NSW government agencies need to tighten up on privileged-user access and management in order to protect their information systems and reduce the risks of data misuse and fraud, and they need to do it quickly.
This blog was ghost-written by three-sixty for Thycotic and published on their blog