It goes without saying that protecting important information assets with secure systems is critical to Queensland’s economic and security interests.

The Queensland Audit Office regards cyber security as the biggest threat to state and local government public sector entities. Cyber attackers are targeting entities and the attacks are intensifying in frequency and sophistication. In fact, the Global Risks Reports produced by the World Economic Forum in 2018 and 2019 found that ‘data fraud or threat’ and ‘cyber attacks’ are in the top five most likely global risks.

Last year, a cyber security attack compromised a Queensland energy entity’s information system. While service delivery was not immediately compromised, the incident highlights the continued need for active management by all entities of this risk. This places increased pressure on those charged with governance to understand the threat and ensure that any weaknesses in their internal controls are promptly addressed. 

In all our reports to parliament on the results of our financial audits, we continue to find weaknesses in the security of many entities’ information systems, and most of these weaknesses relate to internal control issues we raised in previous reports. In our reports, or via our engagement during our audit work, we have recommended that entities more actively manage their security with mitigation strategies. These strategies may include whitelisting applications, restricting administrative privileges, and patching operating systems and applications.

Other, previous, reports to parliament contain valuable learnings for all entities, and guidance they can consider and self-assess against. In our 2019 report on Managing cyber security risks (Report 3: 2019–20), our 17 recommendations cover cyber security frameworks, classifying information, identifying and assessing cyber risks, managing information assets, and risk mitigation strategies.

We also highlight methods for managing the security of control systems for infrastructure assets in Security of critical water infrastructure (Report 19: 2016–17). This audit assessed whether a selection of entities responsible for critical water infrastructure have processes in place to protect their control systems. The report includes key questions that senior management should ask when seeking a better understanding of their information technology security risks.

Multiple QAO blog posts cover internal controls and/or cyber security risks. We call your particular attention to The role of governance committees in managing cyber security risks published in July 2021, which gives governance committees 12 questions or a ‘check list’ to consider when managing cyber security risks. The questions start with ‘do we know what our mission critical assets are’ and end with ‘how is the information technology function changing its strategic priorities in the short, mid, and long term and are resources sufficient to achieve these priorities?’

In light of recent incidents, we encourage all organisations to revisit our reports and resources, consider the recommendations, and act immediately to proactively mitigate this considerable and concerning risk.

Related reports to parliament:

• Energy 2021 (Report 7: 2021–22)
• Water 2021 (Report 3: 2021–22)
• Transport 2021 (Report 10: 2021–22)
• Managing cyber security risks (Report 3: 2019–20)
• Security of critical water infrastructure (Report 19: 2016–17)
• Education 2020 (Report 18: 2020–21)
• Local government 2020 (Report 17: 2020–21)
• Health 2020 (Report 12: 2020–21)
• Energy 2020 (Report 11: 2020–21)
• Transport 2020 (Report 10: 2020–21)
• Water 2020 (Report 9: 2020–21)
• Traffic Management Systems (Report 5: 2013–14)