Public sector agencies “are not taking risks to information systems seriously enough,” says Western Australia’s Auditor General Caroline Spencer.
Weak passwords are one of the biggest risks, she argues in a new report.
The auditor reviewed approximately 234,000 enabled accounts across 17 WA agencies and found that 26% had weak or commonly used passwords.
Despite this issue being raised many times already, not much progress has been made, Spencer says. Leaders need to push for improvements, rather than assuming the problem will be fixed.
“We have demonstrated to agencies on many occasions how weak passwords are used to access information systems without detection. A pressing issue that must be acknowledged and addressed across the sector is for agencies’ executive management to engage with information security, instead of regarding it as a matter for their IT departments,” she argues.
“The days of senior leaders not understanding information security and capability as a key business risk to be closely monitored and appropriately managed are over. The consequences to state service delivery, trust in the sector and institutional reputations are too great.”
Most of the issues raised “can be easily addressed and it appears that risks are simply not properly understood,” Spencer says.
The worst cases are sitting ducks for a cyber attack and theft of data:
“In 2017, we assessed a test environment from a WA agency’s web system, which was publicly available through the internet. We gained access to the agency’s network with full system administrator privileges by using an easily guessed password, Summer123. We identified a significant amount of production data in this environment.”
From password123 to abcd1234
Some agencies performed particularly badly. The 10 agencies with the highest percentage of weak passwords ranged from 20% to 56%. This included many administrator accounts with weak passwords.
The 10 most common passwords were:
And while forcing users to make longer passwords is a common way to make them more secure, many were still weak. “Easily guessed long passwords do not adequately mitigate the risk of unauthorised access to systems,” said the auditor.
Although agencies had requirements for complex passwords in place, often they are only engaged when passwords change. As many systems do not require regular changes, there are lots of laggards.
The auditor found 13% of accounts do not comply with password policies or complexity requirements.