It seems government departments are no longer sacred from hackers says new findings. But business is far from safe either.
Almost one fifth of government passwords to enable access to highly confidential information are at risk of being compromised when exposed to a stress test or brute force hacking, a report released yesterday reveals.
But this is nothing compared to private sector firms which show major weakness in passwords usage and other state agencies, it also warns.
The stress tests run by the Australian National Audit Office which consisted of password combinations and symbols could expose shortcomings posed by password used if run over a period of time, leaving them wide open to hackers and other security risks.
Other test methods consisting of words and numerical were also run although they failed to expose the same level of weakness the primary “brute force” test.
“Of more concern was that in three of the four agencies audited, the test compromised some administrator and/or service account passwords.”
The departments tested included the high profile Department of the Prime Minister and Cabinet, Australian Office of Financial Management and Medicare Australia.
So what can be done to minimise risk from hacking? More complex passwords rather than simple ones is a start but also standard security settings like an auto lock out after a number of access attempts will also reduce the security risk, according to the report.
However, fraud can be internal or external, the report entitled The Protection and Security of Electronic Information Held by Australian Government Agencies, also warns.
And this means personal information could also be easily accessed but it also means business could be exposed to similar type security risks on its IT systems.
So what can be done to prevent fraud? Among the steps to minimise risks are as follows:
· Regular supplier reviews (includes surprise audits)
· Data mining / analysis
· Internal and external reporting mechanisms (hotlines, website, internal reporting channels)
· Response to identified / reported frauds
· Management / internal audit review of internal controls
An entity’s fraud risk assessment also needs to be updated at least every two years or in the event of a significant change.