The Australian Taxation Office will be the subject of a new inquiry into its cybersecurity practices after an audit in March found the agency has work to do on boosting its “cyber resilience”.
The Joint Committee of Public Accounts and Audit (JCPAA) launched an inquiry last Friday off the back of a follow-up audit completed by the Australian National Audit Office (ANAO) in March considering the cyber resilience of the ATO, Department of Immigration and Border Protection and Department of Human Services. The JCPAA is a parliamentary committee with the power to initiate its own independent inquiries into the Commonwealth public sector.
The March audit from the ANAO judged the different government agencies on their cyber resilience, and how they match up to the Australian Signals Directorate’s (ASD) “Top Four” mandatory strategies for cyber security. The ASD’s role is to protect government agencies from cyber attacks and ensure their cyber security.
JCPAA chair Senator Dean Smith said in a statement the Committee had an important role in “holding Commonwealth agencies to account”.
“Cybersecurity is integral to protect Government systems and secure the continued delivery of Government business,” Smith said.
“The Committee is continuing its oversight of entities’ compliance with the mandated strategies with the launch of this Inquiry.”
The audit found concerns over the ATO’s ability to defend cyber attacks based on its practices on three of the four mandatory strategies. The ANAO defines cyber resilience as “the ability to continue providing services while deterring and responding to cyber attacks”.
The three areas the audit found to be of concern at the tax office relate to application whitelisting, and application/operating system patching. Application whitelisting effectively stops employees or users from installing unapproved programs.
Whilst SMEs are unlikely to be able to implement application whitelisting to the extent government agencies can, one expert believes there are still solid steps businesses can take and there are business lessons to come from these concerns.
“This is typically something that’s not easy for small businesses to implement, as you need to have fairly expensive tech and very mature IT systems,” cybersecurity expert at Sense of Security Michael McKinnon told SmartCompany.
“The most realistic implementation for SMEs is to have your IT person warn employees about running downloaded executables, and advising them to use official company software.”
“It’s not exactly application whitelisting, but it’s a good step.”
In the March audit, the ANAO highlighted the importance of government agency compliance, noting the ATO processes more than $440 billion through its electronic lodgement systems annually. At the time of the audit, the ATO accepted the ANAO’s recommendations and said it would take them on board to become cyber resilient in 2017.
SmartCompany contacted the ATO for comment on the audit’s findings and the inquiry, but did not receive a response prior to publication.
In its response to the audit report, the tax office accepted there was more work to do on cybersecurity.
“The ATO has committed additional resource and focus to address deficiencies and reach a greater level of cyber resilience. Immediate improvements have already been put in place with a commitment to reach cyber resilience status in 2017,” it said.
Failure to update systems an “unforgivable sin”
The other area of concern that the audit pointed to on practices at the tax office relates to application and operating system updating or patching, which McKinnon says is an “unforgivable sin”.
“If you’re not patching your systems you’re just asking for troubles. This includes your smartphone, PC, tablet, network systems, everything,” he says.
Whilst dismissing an annoying update prompt on your PC is easy to do, McKinnon warns against postponing updates, saying SMEs should endeavour to update “whenever possible”, and to automate it when you can.
“Don’t get into the habit of postponing updates or you will suffer the pain. Install the update when it asks you to do it. Most systems can update themselves at 3.00AM in the morning which will have minimal disruption to business,” McKinnon says.
In the audit, the ANAO found many agencies including the ATO chose not to update their systems in order to reduce service disruption but concluded it was possible to maintain “high levels of system availability without compromising cybersecurity”.
McKinnon acknowledges despite the need to stay vigilant in their cybersecurity compliance, there are sometimes “certain situations” where companies must weigh the risks, noting the ATO would be unlikely to want to risk another outage similar to the one seen in December.
The JCPAA is accepting submissions into the terms of reference for the inquiry until April 27 and will hold a public hearing on May 12.