Australia’s recent increase in high profile data breaches has resulted in highly sensitive and personally identifiable data exposed by hackers and available for purchase to the highest bidder. The range of brands and industry sectors impacted should shake even the most complacent organisations into action by demonstrating nobody is immune, writes John Hines.

These unfortunate incidents have thrust cybersecurity into the spotlight across the country. And nowhere else is this more important than within government bodies and the wider public service.

Government agencies, departments and government owned organisations hold a large amount of personal data of citizens under their jurisdiction, making them a tantalising target for malicious actors.

Cyber-attacks against governments of all levels in Australia can also mean higher risk of further breaches to other agencies and jurisdictions.

In 2020 a targeted phishing attack against Service NSW which led to 5 million documents being accessed, 10 percent of which contains sensitive data impacting 104,000 people, with access given to the agency’s internal email systems. More recently, the Optus data breach saw the NSW Government swing into action again to work with the telco on supporting impacted customers following the recent cyberattack on the telco’s database.

Public servants are an important frontline of defence against cyberattackers and shoring up protections around the personal data of citizens. Government bodies and departments will always be major targets for malicious actors, but there are simple steps that can be taken to mitigate the risks.

Mitigating the risks

Data breaches are most commonly the result of human error, whether that’s falling for a social engineering trick, or posting sensitive information in an unsecured place.

Verizon’s Data Breach Investigations Report (DBIR) in 2022 revealed that 82 per cent of all cyber breaches recorded involved a human element. As the report showed, even when a breach is not directly caused by human error, it’s based on information systems which were designed and built by humans.

And this means all public servants, not just those in front-facing or cybersecurity-focused roles but also those designing policies, processes and implementing technology or project management outcomes being aware of the human element as the weak link in protecting against cyber incidents.

A data breach does not always involve a malicious actor looking to obtain sensitive data and sell it on the dark web. It can often just be the result of an employee accidentally putting information in the wrong place, such as an unprotected area of their network.

The (report) found that internal actors in public administration are seven times more likely to make a mistake leading to a breach than to do so by acting maliciously.

The DBIR found that internal actors in public administration are seven times more likely to make a mistake leading to a breach than to do so by acting maliciously.

Public servants at the frontline

Public servants need to constantly be on high alert for any suspicious behaviour on their networks, such as emails that could be phishing campaigns. One wrong click can lead to a potentially devastating breach, and employees at all levels and in all roles need to be alert and aware of what to look for.

Training is a significant part of improving the cybersecurity of public sector organisations. This training needs to focus on embedding and improving security behaviours in the day-to-day operations of a government body, such as through secure coding and lifecycle management.

This training should be active and regular – it cannot just be a one-off, tick-box exercise. Malicious cyber-attacks are constantly updating their techniques, and public servants need to do the same with their cyber defences.

This training should involve the running of tests, a measurable outcome, a baseline, an intervention to see if the test changed the outcome, the random assignment of employees and reporting of the results of the testing.

A focus also needs to be placed on access management control and account management to mitigate the potential damage of a compromise. This involves conducting an audit of who has access to what, and if this is really necessary, with a guiding framework of as few people as possible having access to the wider system.

The enforcement of two-factor authentication across the board is also a simple and effective step the public service can implement to help mitigate the risk.

The biggest step the public service can take in shoring up their security is to embed a culture of cybersecurity awareness across the entire sector. Every public servant has an important role to play in this, and it’s never been more important.

*John Hines, Verizon’s head of APJ cybersecurity

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter