West Australia’s Office of the Government CIO has identified a “significant” cyber security skills gap in the state’s public sector.
The comment from the GCIO came in response to a report that criticised the lack of a coordinated approach by the WA government to dealing with “cyber threats”.
The report from the state’s auditor-general scrutinised the threat of malware at six state government agencies. It uncovered “persistent malware infections” at two of the agencies. (Earlier this year ICT systems at WA’s parliament were temporarily shut down to prevent a malware infection from spreading.)
The investigation examined the Department of Agriculture and Food, Department of Mines and Petroleum, Department of the Attorney General, Department of the Premier and Cabinet, Main Roads Western Australia, and the Department of Transport.
“IT control failures are still common,” the report stated. “Our testing revealed all agencies had some control failures, or missing controls. Common issues were around missing security patches and outdated operating systems. We also noted problems with management of antivirus software, assignment of access rights, and network design. These ineffective or missing controls place agencies at risk of malware infections and breaches. While some performed well, there is still a need for ongoing assessment of risks and improvement of controls.”
The report noted that the Office of the GCIO was established in July 2015 and has produced a WA Digital Security Policy.
“However, the all-important security standards that will support the policy are still in development,” the report noted.
“At the time of our audit, there was no whole-of-government security policy or framework providing guidance to agencies on how to implement a successful security program,” the report stated.
“Agencies are also not required to report malware incidents to a central agency. As a result, no single body was able to provide us with an overview of the size or nature of the malware threat faced by agencies.”
The report recommended that the Office of the GCIO continue to roll out the Digital Security Policy and look at methods to foster “to foster collaboration, information and resource sharing between agencies” and gather data to “properly understand the threat posed by malware and other cyberthreats to the WA public sector”.
In its response the GCIO suggested that government CEO’s have cyber security as a standing agenda item on their corporate executive risk register and that it is reviewed frequently throughout the year.