‘Real and growing threat’: Almost every state government body hit in cyberattack surge
By Rachel Eddie
Ninety per cent of Victorian government agencies suffered cybersecurity incidents last year and successful attacks seriously disrupted critical services, the state’s auditor-general has found.
In a report tabled in state parliament on Wednesday, the Victorian Auditor-General’s Office warned the rise in cyberattacks could expose the community to personal data breaches and disrupted communication networks, and shut down water, health and other critical facilities.
Fire Rescue Victoria’s dispatch and email systems went down in December last year, in a cyberattack that forced firefighters to rely on radios and mobile phones when responding to emergencies, and that also exposed staff personal information.
In 2019, surgical procedures were delayed after Victorian hospitals were targeted. While no patient information was leaked, hackers installed software that disabled bookings for more than 24 hours.
The government considers cybersecurity among the top 10 risks for the state. But there were 617,000 workers – 94 per cent of staff at the agencies examined – who did not use multifactor authentication.
“Cybersecurity threats in Victoria are real and growing,” the auditor-general said. “Agencies have recognised the need to establish a whole-of-government approach. But they need to do more to improve cybersecurity for the entire sector.”
The Auditor-General’s Office examined agencies including government departments, a local council, a water authority and a health service.
In its report, published on Wednesday, it found none of the audited agencies had fully implemented all identity and device controls, such as multifactor authentication, to stop malicious users from accessing networks through unsecure accounts.
“Four agencies give users the lowest possible access they need to do a task, which is technically known as least-privilege access.”
The report recommended the public sector address cybersecurity risks in a co-ordinated way.
“Agencies do not always have the resources to establish cybersecurity teams with up-to-date knowledge and skills. But they could benefit from a whole-of-government approach to implement these controls to improve their cybersecurity,” the auditor-general said.
“Without a co-ordinated approach, many agencies are duplicating their efforts and not using the public sector’s economy of scale to efficiently manage cybersecurity risks.”
Government departments and agencies that responded to the report said they were committed to reducing cybersecurity risks.
The Department of Government Services has accepted the recommendations of the report.
A government spokesperson said cybersecurity was a priority the new Cyber Defence Centre provided the ability to detect and block threats “in real time”.
“We are investing to further build capability and performance across government,” they said.
Last month, this masthead revealed that Victorians’ personal information was potentially breached by a cyberattack on law firm HWL Ebsworth, which counted government departments and agencies as its clients. Sensitive documents were stolen from the firm, but not from the government agencies.
The Morning Edition newsletter is our guide to the day’s most important and interesting stories, analysis and insights. Sign up here.