An independent audit by the Australian National Audit Office (ANAO) revealed that Services Australia and AUSTRAC were inadequately prepared for significant cyber security incidents. The audit found that both agencies had only “partly effective” cyber security incident management arrangements, lacking robust business continuity and disaster recovery plans. Given their role in handling sensitive personal and financial data, these government bodies are high-value targets for cybercriminals. The audit highlighted that nearly a third of reported cyber incidents involved government entities, underscoring the need for improved cyber resilience.
The audit identified several gaps in Services Australia’s cyber security practices. It was noted that Services Australia lacked a documented approach to threat assessments and incident management policies. Although the agency had established some procedures for managing data spills and malicious code infections, it did not fully document or test its disaster recovery plans. The Auditor-General made ten recommendations to enhance Services Australia’s cyber security, including developing a comprehensive Cyber Security Incident Management Policy and improving data backup and digital preservation practices.
AUSTRAC was also found to have deficiencies in its cyber security management. The report highlighted the lack of procedures for testing data backup systems and complete disaster recovery testing due to budget constraints. AUSTRAC did not have a formal policy for logging events or detailing its Chief Information Security Officer’s responsibilities. The recommendations for AUSTRAC included defining CISO responsibilities, implementing a security maturity monitoring plan, and enhancing disaster recovery and risk reporting processes.
Both agencies have accepted the recommendations and acknowledged the need for improvement. Services Australia’s CEO recognized the need to enhance processes and procedures for better safeguarding personal information and ensuring service continuity. AUSTRAC’s CEO confirmed the acceptance of the audit recommendations, emphasizing that they would help strengthen cyber security practices. The ANAO’s audit cost approximately $772,926, and detailed technical information was provided to relevant authorities but not made public.
Reference:
