Govt agencies urged to adopt a 'culture of security'
The Prime Minister’s top cybersecurity advisor has urged the ATO and other government agencies to draw lessons from the bungled 2016 online census and take steps to build a ‘culture of security’ into the organisation.
In a submission to a parliamentary inquiry into the tax system, Alastair MacGibbon said a key lesson from the eCensus incident is that security must be “baked in” to the design and delivery of digital government services.
“Government can develop a more ‘shared service’ consultancy approach to cybersecurity to boost agency capacity and allow resources to be reallocated to service delivery,” MacGibbon said.
He criticised government agencies for all too often displaying a “‘tick box’ compliance culture”, which means that “agencies will consider themselves secure if they get their internal ICT area and their subcontractors to put in place and uncritically follow prescribed security procedures. But compliance does not equal security.”
He instead urged agencies including the ATO to develop a culture of security allowing them to adapt to changing threats and educate their staff on good cyber hygiene.
In the wake of the incident, government agencies must also think critically about how they manage their relationships with vendors. Currently, outsourcing of technical capabilities is the norm, which makes managing cybersecurity risks more challenging, MacGibbon said.
“Trust is good, but trust without verification is dangerous,” he said. “Agencies need to verify the security capabilities of their vendors through regular testing and exercises. Agencies should also be cognisant that their ICT contractors also have downstream subcontractors involved in the service delivery who need to be trusted and verified as well.”
Finally, agencies need to learn from the eCensus event and improve the way governments engage with the public in the wake of a disruptive event or crisis, which should involve actively communicating with the public through social media channels.
“Agencies that do their business online with the public online need to speak to the public online too. Social media skills need to be raised across the Commonwealth,” MacGibbon said.
Logistics and e-commerce technology company Pitney Bowes is working to restore services after a...
The board of UK-based security company Sophos will unanimously recommend a US$3.82bn takeover...
Security company Proofpoint has provided details of a staged malware downloader they are calling...