The ACT government has no whole-of-government response plan for a data breach and individual agencies are not prepared to respond to a data breach or loss of systems, a scathing audit report has found.
On the same day Prime Minister Scott Morrison announced all levels of Australian government organisations, as well as private sector organisations and essential services were subject to an ongoing hacking attempt from a sophisticated state-based actor, the report laid bare the failings at an ACT level.
While ACT Chief Minister Andrew Barr has been briefed on the cyber attacks, The Canberra Times understands no ACT government agencies are subject to the current attack, but agencies in larger states are.
ACT auditor general Michael Harris handed down his assessment of the ACT government's protocols and preparedness for a data breach on Friday morning, finding the public service was not well-placed to understand what data each agency was responsible for, the risks of data breaches and how to manage the risks.
"Agencies have not clearly understood their data security risks and requirements," the report said.
Most agencies haven't documented their security system risks effectively, controlled the use of cloud-based IT services and a particular area of risk is a lack of use education in using data securely.
"A lack of awareness has been demonstrated in a lack of understanding on how to share data securely, as well as to recognise when a data breach has occurred and needs to be reported," the report said.
"This increases the likelihood of a data breach and its potential impact."
While officials have agreed to improve the government's ability to to respond to data breaches, the plans haven't been completed and there is no whole-of-government plan to respond to a data breach.
Individual agencies are also not well placed to respond to a data breach or loss of system availability, the report said.
While there are a number of documents and strategies relating to cyber security within the ACT government, they are not connected or coordinated in an effective manner, according to the report.
"None of these documents presently fulfil the role of an overarching strategy or plan for ACT Government agencies to manage and improve data security," the report said.
Chief Minister Andrew Barr said on Friday the government was responding to the recommendations in the report.
"Clearly the auditor has highlighted areas for improvement and they've [Shared Services] been working closely with the audit office in relation to the concerns that have been identified," he said.
"We're responding to the recommendations of the auditor, this announcement from the Prime Minister highlights the need for everyone to be cautious and to ensure that our security systems are up to date and our teams are active in responding."
Mr Barr said despite the poor performance reflected in the report he was confident the ACT could handle cyber attacks like the one revealed by Mr Morrison on Friday, and that there had been no successful attacks in recent times.