There are concerns the Australian Taxation Office (ATO) has more work to do on cyber security standards, with Commissioner of Taxation Chis Jordan telling Senate estimates last night sustained outages at the tax office may have slowed down plans for security policies.
On Wednesday a joint committee report into cybersecurity compliance in government departments highlighted the committee “is most concerned that the audit found that the ATO and [Department of Immigration and Border Protection] are still not compliant with the mandatory ‘Top Four’ mitigation strategies”.
The mitigation strategies, which are the top four of eight “essential” tools recommended by the Australian Signals Directorate for warding off cyber security threats, include restricting administrative privileges, using latest operating systems, patching systems and application whitelisting.
The ATO told the committee it would take until November to become compliant with the practices, but in a Senate estimates hearing on Wednesday evening Commissioner of Taxation Chris Jordan told the room there was a reason for the delay in the plan for cyber security: the sustained system outages that hit the office from December last year.
Jordan told Labor Senator Jenny McCallister the December outage “slowed down” progress on cyber security compliance.
The tax office has undertaken a comprehensive review of systems stability after system knockouts started playing havoc with clients after an initial major outage on December 11, 2016.
PricewaterhouseCoopers was engaged to conduct an external audit of ATO systems, which identified 14 key areas for improvement to ensure systems stability at the tax office for the long term. However, the focus of this was on how the ATO’s various portal systems interacted, rather than on cyber security priorities.
The accounting sector has previously told SmartCompany cyber security planning is not the only thing to be slowed down by the December outage. Finance professionals were expecting overhauls to a range of tax office portal systems in the near future, but the Institute of Public Accountants says these have been put on hold.
“Priority one, two and three is just maintaining a stable system. All of the system upgrades and moving to better platforms are all on hold,” the IPA’s general manager of technical policy Tony Greco told SmartCompany in June.
“The existing systems aren’t perfect, and we’re having to wait longer for new ones.”
According to the joint committee report, if Commonwealth entities were to all comply with the four most important strategies for cybersecurity, 85% of targeted cyber attacks could be prevented.
Overall, the committee noted that evidence provided about cyber security policies at government departments “from both submitters and witnesses [suggest] that compliance with the Top Four mitigation strategies is a minimum standard and does not necessarily equate to cyber resilience”.
In 2013, the government mandated the top four strategies for fighting cyber attacks and put a timeline in place to have all departments on board by June of 2014.
SmartCompany contacted the ATO for comment but did not receive a response prior to publication.