If Australia is going to take information security seriously, we need more people like the ATO's CIO, Bill Gibson.
It's no secret that people don't like discussing their business's security woes — I've been knocked back so many times after asking to discuss security it almost feels silly asking the question.
So when I first called the ATO a few months back, after learning that PriceWaterhouseCoopers was conducting a review of the ATO's security practices, I expected my interview request to be declined. After all, the ATO is an AU$700 million a year IT shop which contains some of Australia's most sensitive information.
So to say I was shocked a few days ago, after hearing from the ATO that Gibson was ready to speak about the security review, is an understatement.
This is the problem with security in Australia and why we could benefit from data breach disclosure laws. As I said in my blog last week, the information we do have access to is mostly trite. The result is that we are limited in the ways we can think and discuss security. For consumers, it makes it almost impossible to assess the state of security in the country and the risks they face.
Anyway, after my initial excitement at the prospect of talking security with Gibson, I began to have doubts. They must have got a gold star in the review, I thought.
Which is why, when I secured a copy of the 100-page review yesterday, I was again shocked. The review found a security-conscious culture at the ATO — as you would hope — but also found some staff didn't know how to use approved file transfer channels, and serious problems when it came to the accountability of organisations it shares taxpayer information with.
Of course, the ATO hasn't experienced a HMRC-style data breach, so the review doesn't cut that deep. Even so, Gibson admitted a briefcase containing taxpayer information had been stolen, a disc lost and porn being e-mailed by staff.
The review also discovered interesting human responses to security measures. Staff at government agencies must classify outbound e-mails according to their level of confidentiality, except some staff who were "strategically" labelling them to either restrict access or bypass restrictions.
The most interesting aspect of the review, however, is that the ATO cannot be alone in the security challenges it faces. Nearly every person — vendor and end-user — I have spoken with is concerned about data leakage. And with the ATO's 22,000 staff, I can imagine some difficulties getting security right across the whole organisation. Yet as far as I can tell, no organisation, private or public, has opened itself in this way.
The ATO's security review is one of the most useful documents I have seen in my time at this publication, so it and the ATO, get a gold star.