It’s often said staff are the weak point in an organisation’s cyber security, with a single click on a dodgy link enough to undercut expensive infrastructure.
It turns out building security suffers from similar problems.
In a slightly unusual step, Victorian Auditor General Andrew Greaves hired a specialist security consultant to go undercover and try to get into offices belonging to the Department of Health and Human Services and the Department of Justice and Community Safety — and they did.
The problem was not physical infrastructure, which was up to the job, but staff themselves. Although some did question the outsiders and ask for identification, the testers managed to get in nonetheless.
“While all tested sites have a range of physical security measures that control unauthorised access to some extent, security controls were bypassed and we accessed areas not permitted to the public,” says the audit published on Wednesday.
“This enabled access to information and physical assets. We successfully accessed these sites because staff did not understand their role in maintaining physical security, or did not comply with established processes, allowing our testers access.”
In one case, testers managed to get hold of the master keys for a multi-tenant building. In another, “highly confidential information was found unsecured, outside of the immediate office area”.
The auditor blames human error and “a weak security culture”.
“This weak security culture among government staff is a significant and present risk that must be urgently addressed.”
The auditor’s testers also observed several breaches and risks of a more moderate nature:
- Confidential information within the office space was not adequately secured or locked in lockers, tambours or filing cabinets.
- Staff did not always adhere to the clear desk policy, nor was it monitored or enforced by the department.
- There is not a strong practice of staff questioning or challenging unfamiliar or suspicious people in the office space.
- Staff were not aware or did not challenge those who tailgated them.
- The period of time that accessible gates remain open, and their use by able-bodied people for convenience.
- Workstations were often unlocked when unattended and passwords were left nearby on sticky notes.
- Lax processes for visitor or contractor sign in and approval.
In 2018, DHHS had the most security incidents reported to the Shared Service Provider, a business unit in Treasury which helps agencies manage security — but the auditor notes this is probably because it has more security guards, and is therefore able to detect more incidents.
“It is almost certain that incidents are occurring within the office accommodation of the other government agencies,” says VAGO.
The most common incident type was irate or abusive behaviour, followed by medical and physical damage.
The problems found by the auditor are not helped by the fact that there is no statewide oversight or coordination of protective security.
“At present, there is no clear, strategic leader for policy, oversight and coordination of the three domains of protective security across government agencies. This precludes the better integration and coordination of protective security arrangements,” says VAGO.
The departments concerned have some way to go on security policies too.
“At the agency level, DJCS has made positive steps towards developing department-wide policies and procedures for security management. DHHS, however, has not developed its security policies and procedures, making it more vulnerable to unauthorised access.”
The auditor wants improvements in incident reporting and recommends Treasury, Premier and Cabinet and Justice work together to develop “a statewide principle-based physical security policy, with clear accountabilities for government agencies”.
All 12 recommendations have been agreed to by relevant agencies.
Justice Secretary Rebecca Falkingham said the department “is committed to promoting a strong security culture and good governance and undertaking regular physical security planning and risk assessment as recommended by the report.”
Health and Human Services Secretary Kym Peake wrote that DHHS “is already developing a security management governance structure to incorporate executive oversight and a physical security assessment model to support regular physical security and risk assessments at all office accommodation sites.”