Secure enough to contract the Australian Government?

For most businesses, winning a government contract is a big deal. Months of tender writing and meetings are about to pay off. But is a lack of cyber security putting your hard work and contract at risk? And if you win the contract, are your IT systems safe from professional hackers looking for a back-door into government systems?

The Australian Government, through the Australian Cyber Security Centre (ACSC), has warned contractors about a significant increase in cyber activity being reported by government contractors in Australia and overseas. The ACSC noted that contractors have become high priority targets for cyber activities.

One example is Australian defence shipbuilding contractor Austal, which announced in November 2018 that its Australian business had detected a breach of the company’s data management system by an unknown offender.

As more information becomes digital and is shared with third-parties, the threat to government contractors and subcontractors is increasing.

Privacy requirements for Government contractors

To help control cyber security risks, the Australian Government requires that any organisation which enters into a contract with an Australian Government agency is subject to the Privacy Act, Notifiable Data Breach scheme and the Australian Privacy Principles. Importantly, privacy laws extend beyond contractors to subcontractors.

For most organisations with an annual turnover of $3 million or less, the Privacy Act does not usually apply. However, this is not the case when the organisation is or was a party to a Commonwealth contract.

If there is a breach of the Privacy Act, The Office of the Australian Information Commissioner has extensive powers to obtain information and to take evidence under oath. If the breach has caused irreparable damage or complaints cannot be conciliated, the Commissioner can impose a variety of penalties, including financial compensation.

How do data breaches occur?

There are many ways data breaches can occur. The Office of the Australian Information Commissioner has provided a number of examples, including:

• Databases containing personal information being ‘hacked’ into or otherwise illegally accessed
• An individual deceiving an agency or organisation into improperly releasing the personal information of another person
• Lost or stolen laptops, removable storage devices, or paper records containing personal information
• Employees accessing or disclosing personal information outside the requirements or authorisation of their employment

Recommended Security Strategies

To prevent data and privacy breaches, the Australian Government has advised that contractors and subcontractors should implement the Essential Eight Strategies to Mitigate Cyber Security Incidents as a security baseline. The eight recommended strategies are:

• Restrict administrative privileges
• Use Multi-Factor Authentication
• Whitelist applications
• Harden applications against vulnerable functionality
• Patch applications for security vulnerabilities
• Patch operating systems
• Configure Microsoft Office macro settings
• Daily backups

It is important to recognise that the above strategies are a recommended minimum for data security. They should not be the only strategies used to prevent data loss and privacy breaches.

Note: Although efforts to verify the accuracy of the above article have been made, First Focus recommends that you should seek your own professional legal advice.