Cyber security risks represent one of the most significant threats to all organisations, with attacks increasing in intensity and frequency. Recent cyber attacks on the information systems of large Australian corporate entities have resulted in disruptions to their operations and leaked customer data.
Government entities hold sensitive information that makes them an attractive target for cyber attackers. Across our audits of public sector and local government entities, we continue to identify control weaknesses in the security of their information systems. Entities that rely on legacy systems (older systems for which the supplier/vendor no longer provides any support) are particularly susceptible.
It’s critical to know what else you need to do if your entity experiences a data breach, in addition to containing it.
Assess the extent of the breach |
- What data have the attackers accessed? The recent experience of large Australian corporate entities has shown that this step can be time-consuming to understand, particularly if a large amount of data is involved.
- What type of data is it? This helps you assess the risk involved, the possibility for harm, and who you might need to notify. The Queensland Government Information Security Classification Framework is one way that entities classify their data and is mandatory for departments. For example, does the breached data include items labelled as sensitive or above, which may include personal information?
- Is your data covered by mandatory data breach reporting schemes? For example, the requirements under the Australian Government notifiable data breaches schemes (including for certain critical infrastructure), or the Australian Government My Health Records Act 2012.
Notify those affected |
Given the nature of the data that government entities hold, it’s likely the breach may include personal information. You need to identify who and what data the breach affects, and work out a notification strategy.
- Do you have any legal obligations to notify the affected individuals? If so, seek advice to make sure you comply. You could ask employees who are responsible for managing privacy or information security within your entity, or external agencies such as the Office of the Information Commissioner.
- Does your entity wish to notify people affected even if there is no legal obligation to do so? This can demonstrate a commitment to open and transparent governance. Conversely, it can cause unnecessary stress and anxiety where the risk of harm is considered low and could be counterproductive.
- How will you notify affected individuals? The Office of the Information Commissioner recommends entities notify people directly, by telephone, letter, email or in person. Broadcast notifications (such as on your entity’s website) are generally only used where you don’t have the relevant contact information or to get ahead of information that the attackers may release themselves (for example, to media organisations).
- What details will you include in the notification? You may include:
- when the breach happened
- what data was and was not breached
- what your entity is doing in response
- what the individual can do to protect themselves
- how/when the entity will keep the affected parties updated or informed.
Report to relevant agencies |
Where a mandatory data breach reporting scheme covers the breached data, you must notify the relevant agency. This might include the Queensland Government Chief Information Office, State Archivist, the Office of the Australian Information Commissioner, Australian Digital Health Agency, or Australian Cyber Security Centre, among others.
The Queensland Office of the Information Commissioner also strongly encourages entities to notify it of a breach, even where there might not be a legal requirement to do so.
Notifying the Queensland Audit Office (QAO) also helps us to understand any potential impact on our audit work and to provide you with assistance or advice where we can.
Learn from the incident |
Your entity should learn from what has happened and take steps to prevent it happening again.
- Have you assessed your information security settings, trained your employees, and reviewed contractual obligations with your service providers?
- Have you updated your entity’s data breach response plan or created one if your entity doesn’t have one?
- Have you reported to your audit committee any identified breaches, what you did in response, and what you have learned?
In 2023, QAO plans to complete an audit on responding to and recovering from cyber attacks, which will provide further insights into, and lessons learned from, entities’ preparedness for these attacks.
Resources
- Queensland Government Office of the Information Commissioner – Privacy breach management and notification
- Australian Government Office of the Australian Information Commissioner – Data breach preparation and response
- Queensland Government Cyber Security Unit
- Australian Government Australian Cyber Security Centre
QAO reports to parliament
Managing cyber security risks (Report 3: 2019–20)
Local government 2020 (Report 17: 2020–21)
Queensland Audit Office Forward work plan 2022–25
QAO blogs
Advice on ransomware prevention and recovery
The role of governance committees in managing cyber security risks
Have you considered physical security as part of your cyber security strategy?