With cyberattacks and data breaches on the rise, Australia’s government departments and agencies are under even greater scrutiny and pressure to ensure that the data security of Australians is not compromised.
While having a central repository of data shared among government organisations for the good of Australia’s citizens can be beneficial, it can also be a double-edged sword when it comes to data privacy and protection.
The My Health Record (MHR) initiative which consolidates Australians’ electronic medical history into a single record and is accessible by all healthcare practitioners suffered 42 data breaches during 2018. This a very real cause for concern, especially if the data were to fall in the wrong hands.
Failings of the public sector
A recent report by the Australian Strategic Policy Institute’s International Cyber Policy Centre (ICPC) found that there are significant shortfalls among Australian critical national infrastructure providers, many of which are government agencies or government-owned entities and are at critical risk of cyber attacks.
The report stated that increasing connectivity via the Internet of Things has brought both “benefits and new risks that Australia is not yet prepared for”. The report found that some of these failings were attributed to a skills shortage as well as a lack of understanding of the specific risks of operational systems and the appropriate commercial solutions. In addition, there was also a “concerning” gap in knowledge and experience on boards.
The public sector compared to its private sector counterparts typically also receives less funding when it comes to managing data security while being expected to deliver services more efficiently. Furthermore, there is a constant struggle in the sector to recruit talent given the high salaries infosec professionals are getting currently in other industries.
Given the requirement to store data and provide services based off other departments’ data to citizens amongst government agency departments such as in the case of the MyGov website which links Centrelink, Medicare, tax and superannuation information, securing the entire supply chain and data life cycle can be a mammoth task to undertake.
Strategies to ensuring data protection
However, there are some effective strategies that public sector departments and agencies can implement to ensure better security and protection of its data:
1. Provide better education to staff and stakeholders on basic awareness around operational technology systems and how to manage risks
Given the lack of board members with specific expertise, public sector departments and agencies need to encourage and enable boards to be more inquisitive, creating a culture in which they can ask questions and explore issues in an open and transparent manner.
Better threat intelligence information sharing among government agencies and departments can lead to better outcomes and being more proactive to dealing with the threat of potential breaches and cyber attacks. Information sharing should also include things outside of threat intelligence and should cover what’s working and what's not. After all, to be forewarned is forearmed.
The education of staff and stakeholders is always key to mitigating potential cyber risks. Raising the awareness of data on systems such as how to avoid security threats such as phishing emails while ensuring proper procedures are followed can help reduce the number of data breaches.
2. Assess which of your systems require protection and the level of protection required
Government departments and agencies employ a multitude of systems. Knowing which systems store, process or communicate sensitive information will help you to focus on the areas and systems you need to look into to address any potential threats/problems.
From there, you can then decide which mitigation strategies to implement based on the risks to business activities of your department or agency.
And don’t forget to regularly backup your data, software and configuration settings as you want to ensure that you’re able to access your information as quickly as possible following a cyber security incident.
3. Prioritise resources among appropriate government agencies to implement required measures where needed
Having the appropriate resources in place and knowing which government department or agency is aware of when to implement and execute the necessary measures is critical. The longer the delay in responding to the situation, the greater the chances of the threat escalating.
For public sector departments and agencies, managing data security and protection can often be a complex maze to navigate. The collective buying of solutions that meet the same need and having adequate trained infosec professionals within the organisation are some measures that can help to alleviate security risks.
Putting in place good security practices from the onset and being proactive in mitigating risks will end up being much more cost effective and time efficient than having to respond and deal with a cyber security incident which could have adverse consequences.