By Julian Bajkowski

One of Australia’s most trusted information security firms has warned that public sector organisations need to independently test their cyber-defences to prevent unwanted intrusions and malicious activity rather than relying on existing assumptions of their vulnerability levels.

Saltbush Group senior consultant Geoff Rhodes, who is the immediate past chair of the federal government’s Information Technology Security Expert Advisory Group, believes that local government organisations must consider their potential exposure to vulnerabilities on par with small-to-medium-size businesses because of their limited level of resources for fending off intruders.

The public statement from the normally taciturn consultancy is significant because Saltbush normally works quietly behind the scenes to advise on and harden-up cyber defences for clients with high degrees of sensitivity.

The company’s client list includes defence industry suppliers and agencies including the Defence Signals Directorate as well as the Attorney General’s department, Centrelink and VicRoads.

“There are some key questions all businesses should ask about the data they hold – whether its transactional details like credit card details from purchases or medical records,” Mr Rhodes said. 

Saltbush’s cautionary note closely follows the revelation that an Australian Broadcasting Corporation website for the television program “Making Couples Happy” was hacked.

According to an ABC statement the breach exposed “the name, username and a hashed version of the password that audience members used to register on the program website.”

While that intrusion is believed to have been perpetrated by ideologically motivated hackers seeking to cause embarrassment, Saltbush is pushing the message that both public and private organisations need to start looking at vulnerabilities with a fresh set of eyes and in the same way that hackers do.

A key issue is that even though larger government agencies will often have mature and well-resourced cyber security safeguards, many smaller agencies must make do with constrained resources to protect against intruders.

“Local government organisations are no different from other government organisations,” Mr Rhodes said. “[However] the resources available are often at the lower end. The issues are always that organisations underestimate the level of risk to their systems.”

The government’s own evidence corroborates many of Saltbush’s concerns.

The Cyber Crime and Security Survey 2012 from CERT Australia, the government’s own computer emergency response team, warns that the “reporting of cyber security incidents – which is critical to the effectiveness of the government-business partnership – clearly requires further attention.”

“Anecdotal evidence available to the CERT suggests that some businesses are unaware of the full scope of unauthorised activity on their networks.”