Western Australia’s acting Auditor-General Glen Clarke has issued a serious warning to the state’s departments and agencies to beef up their IT security practices, with a new report finding that most were not even using basic security techniques such as encryption of sensitive data on laptops and USB keys.
The auditor recently carried out an examination of the security practices of seven agencies — including major ones such as the Departments of Commerce and Education and the Western Australia Police.
The report — available online — found that only WA Police had addressed some the risks associated with lost or stolen flash drives, making sure they were encrypted. But none of the surveyed agencies knew how many portable storage devices (PSDs) they had or what the exact security risks were in using them for sensitive data.
“Most agencies have an increasing number of laptops and PSDs and there is a pressing need for agencies to act on the security risk these devices pose,” said Clarke in a statement. “While these devices have their benefits, their portability also places them at greater risk of being lost or stolen and the information stored on these devices needs to be protected.”
The Department of Commerce and Royal Perth Hospital did not know how many laptops they owned. With the auditor finding that 750 WA Government laptops had been reported lost or stolen over the past three years, this raised the possibility that agency machines and the data stored on them could be lost or stolen without the agencies themselves knowing.
The audit also examined enterprise applications used by the various agencies for IT security holes, again finding a number of problems.
For example, easy to guess passwords, unauthorised user accounts and a failure to remove accounts belonging to former staff were rife amongst the systems surveyed.
“At two of the agencies we were able to guess the passwords and gain access to highly sensitive information, and at three agencies we found that former staff were still able to access confidential information and databases,” said Clarke.
He added that at one agency, confidential information such as client names and address details was unnecessarily attached to other data sent to contractors.
“This is unacceptable,” he said. “The community needs to know that the information government agencies hold is treated with the respect and discretion it deserves.”
But it got worse.
In some cases there was no user activity log in place for applications — meaning security breaches could go undetected. Anti-virus software was not in place or had not been updated, and there was a risk of unauthorised access to bank account and credit card details and staff payments.
It’s not the first time the WA Office of the Auditor-General has chastened agencies about their IT security — it was a similar situation back in November 2007 when another security audit was handed down to Parliament. Clarke said there had been some initial signs of improvement over the past year, but too many agencies continued to ignore the risks.