Auditor-general urges agencies to count cost of data breaches, as MoG changes lead to rising risk

By Shannon Jenkins

Thursday November 7, 2019

Getty Images

Government agencies in New South Wales have recorded 3324 data breaches in a year, but few estimated what each one cost and none recorded it.

The state auditor-general Margaret Crawford thinks that needs to change so that agencies can determine if prevention investment is adequate.

Crawford found the number of gaps in public service risk management has increased because problems she pointed out in the past were not fixed; agencies say this is because staff were busy implementing this year’s machinery of government changes.

In her latest audit report into the internal controls and governance of 40 of the NSW government’s largest agencies, Crawford refers to research by IBM Security and Ponemon Institute revealing the cost of data breaches.

“The report highlighted that the cost of data breaches continues to increase, and more consumer records are being lost or stolen, year after year,” she writes, noting the study found an average cost of $148 per lost or stolen record, and $3.86 million per data breach.

Crawford reports that while 70% of agencies have maintained registers of identified data breaches, they did not always contain the necessary information, which could stop agencies from developing effective preventative strategies.

While all of the agencies which maintained a register for data incidents recorded the date and nature of each incident, only 11% estimated the cost of the breaches, and none of them actually recorded the cost. The auditor-general said the cost of data breaches could be “a relevant input in determining if investment is adequate”.

Meanwhile, 75% recorded how each incident was contained, 68% detailed how data breaches were evaluated, 61% reported risk assessments from data breaches, 54% recorded having notified related parties and authorities, and only 50% recorded preventative controls that had been applied for future events. 

These stats were part of a broader investigation into the internal control deficiencies troubling the state’s agencies. The Audit Office found a total of 349 internal control deficiencies, 78% of which were financial or IT operational deficiencies, which was fairly consistent with the previous years’ audit.

However, internal control deficiencies have gone up 12% since last year, largely due to a 100% increase in repeat internal control deficiencies, and a 12% increase in new financial control deficiencies. Unresolved issues from past years represented 37% of all the internal control deficiencies identified, which “highlights a trend of agency delays in addressing control deficiencies”, the report said.

This year’s machinery of government changes may have contributed to the increase in repeat internal control deficiencies, according to the report. 

“Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the machinery of government changes. As a result, actions to address audit recommendations have been deferred or re-prioritised,” Crawford noted.

Repeat findings of IT control deficiencies have increased by 138% since 2014–15, while new IT control deficiencies have actually decreased by 34%. This works out to be a 42% increase in deficiencies overall.

“Good IT controls are an essential ingredient underpinning effective processes, policies and procedures for managing information systems, securing sensitive information, and ensuring the integrity of agency data,” Crawford argued.

“Poor IT controls increase risks to agencies, including unauthorised access, cyber security attacks, fraud, data manipulation, privacy breaches, non-compliance with laws and regulations and information theft. The longer a deficiency remains unaddressed, the greater the risk that the vulnerability will not only be exploited, but will be repeatedly exploited increasing the potential losses to the agency.”

The findings which were common across agencies included: out-of-date or absent policies; poor record keeping and document retention; incomplete or inaccurate centralised registers; and inappropriate policies, procedures or controls.

About the author
Inline Feedbacks
View all comments