Foreign intelligence attacks and data breaches against Australia's overseas embassies are not being properly assessed and some diplomatic security coordination and monitoring remains ineffective, a review has warned.
A National Audit Office report on protections at overseas diplomatic installations has found strategic planning, management of security measures and some staff training is not fully effective, while comprehensive plans for implementing security reviews on the ground are needed to reduce risks to diplomats, their families and locally engaged staff.
Despite an increased focus on foreign intelligence threats including hacking and espionage in the wake of Russian interference in last year's United States presidential election, the report finds the Department of Foreign Affairs and Trade's current risk assessment measures for information security and data breaches at embassies and high commissions are ill-defined.
Breaches of data are rated moderate, major or severe, but the report says the different ratings are not defined, reducing the effectiveness of risk assessment.
The report also "identified instances where DFAT had not appropriately managed sensitive and classified information".
Some existing security controls had serious limitations. DFAT reported an x-ray machine as part of controls at one post, even though guards did not know how to operate the machine.
The audit, which follows a 2015 internal security review, found DFAT's arrangements to specify overseas physical security measures and put in place security infrastructure had not been completely effective, while monitoring and reporting of security was limited as it is "not consistently implemented or verified."
"This reduces the assurance provided by these arrangements that security at overseas posts is effectively mitigating risks," the report said.
Field audits for the review were conducted at four DFAT posts in the Middle East, Africa, Asia and Europe and included inspections of security arrangements inside and outside the buildings, reviews of diplomatic residences and interviews with DFAT and agency staff.
Infrastructure assessed included perimeter security, walls, gates, CCTV, vehicles and blast protection barriers, access control, guarding arrangements, screening and staff culture.
Australia's diplomatic posts range in size from large complex offices with more than 400 staff, to small posts of just five people.
DFAT manages 104 overseas diplomatic posts, staffed by nearly 900 Australians and 2400 locally engaged staff. About 20 other Australian government agencies maintain a presence at overseas posts, facing security threats including general crime, politically motivated violence, civil disorder and espionage.
Heads of mission and DFAT officials in Canberra manage security, while $114.5 million was spent on security support in 2015–16.
Of the total, $56 million, or 48.9 per cent of the funding, was spent on security service contracts for armed guarding at the Kabul and Baghdad embassies.
Agencies including the Department of Immigration and Border Protection, Austrade, Defence and the Australian Federal Police have more than 1150 Australian staff working at diplomatic posts.
The report said DFAT was implementing reforms to address security gaps and had established a security committee. It said a group working on threat assessments for overseas posts was working with an ineffective risk measurement tool, which led to poor quality and inconsistency.
"In addition, the lack of consolidated information on existing security measures in place across the posts imposed limitations on DFAT's ability to identify and report security issues and measures to senior management," it said.
Among the report's seven recommendations are calls for a new strategic plan to address future security needs, better security training and improved internal processes.
It recommends a database of physical and operational security measures at overseas posts be established.
DFAT said it did not agree with all of the report's findings but accepted the recommendations.
"DFAT would have welcomed more recognition in the report of the measures taken and progress made to strengthen DFAT's security culture, procedures and systems following the internal reviews," the department said.