The Auditor General has criticised the “many State Government entities who are not doing enough to protect State systems and people’s information from cyber-attacks”.
In her report, Information Systems Audit – State Government 2021-22, Auditor General, Caroline Spencer said 566 information system weaknesses were reported in 61 entities this year compared to 526 findings to 54 entities last year.
“Concerningly and similar to last year, half of the audit findings were unresolved issues from the previous year,” Ms Spencer said.
“It is crucial entities prioritise addressing audit findings to safeguard their information systems against constantly evolving and increasingly sophisticated cyber-threats.”
She said if the issues were not addressed, there could be data breaches, system outages and financial loss to State entities, and ultimately citizens.
“We found a significant majority of the entities failed to meet our benchmark in end-point security, access management and human resource security,” Ms Spencer said.
“Information security control weaknesses were so pervasive in 13 entities they resulted in a record number of qualified audit opinions — a serious matter — related to various data breach risks.”
Her report gave a number of case studies, including a former employee who was able to access an entity’s physical facility, log on to the entity’s network and access the financial system more than a month after their employment had been terminated.
The entity had failed to complete the exit procedures required to revoke the employee’s access to the network and systems.
In another example, a network outage had been caused by an unauthorised device interrupting key services.
Ms Spencer said some of the issues could be easily resolved and entities needed to show a focused effort on addressing the audit findings to protect the integrity and availability of the State’s IT systems and information.
The Auditor General’s 32-page Information Systems Audit State Government 2021-2022 can be accessed at this PS News link.