Hackers move in for the kill
Xolani Mbanjwa and Sabelo Ndlangisa, City Press
Johannesburg - The Auditor-General (A-G) says lax government information technology system security must be tightened up to make it less vulnerable to hackers.
A top IT researcher has warned that “hackers and criminals are having a picnic in government departments and entities”, all at taxpayers’ expense.
The warnings come in the wake of an audit of government IT systems which found that many government departments and state-owned organisations had defective IT systems.
Deputy Auditor-General Kimi Makwetu said gaps in IT controls left the government vulnerable to criminal behaviour.
“Somebody can hack into departments and entities when they are as far away as India or Dubai if the security controls that are supposed to prevent that person from accessing information are not there.
“It shouldn’t be easy to get through these controls, which are meant to be prevalent in government,” said Makwetu.
The AG’s general report on national audit outcomes found that:
» 81% of the 37 audited national departments lack the security controls to stop unauthorised access to the IT networks that generate and prepare financial information;
» 92% of the departments lacked proper user access management procedures that would allow only authorised users to effect and approve transactions in their IT systems;
» 79% lacked IT governance policies and structures which would ensure their IT systems were in line with their business; and,
» All the audited departments lacked the software and applications that would allow them to recover their data in case of a disaster.
Even the custodian of government information systems, the State Information Technology Agency, failed the audit.
The audit found weaknesses in the supply chain management which deals with the procurement of goods and services by government.
“Financial transactions are done through computers and when we test things like user access management, we want to find out how easy it is for a person to gain access to a department network to do the electronic transfer of funds,” Makwetu said.
No IT security policy
“No one, including employees, should find it easy to do electronic funds transfers. If you don’t have controlled access those employees can do all sorts of transactions and be out before you know it.”
Most departments blamed their problems on the department of public service and administration, which has not come up with an IT security policy for government.
He said departments and entities often did not follow up on reports about unauthorised employees or outsiders who tried to gain access to their networks.
IT research company World Wide Worx founder Arthur Goldstuck said: “The hackers and criminals are having a picnic in government departments and entities at the expense of the taxpayer.”
“Ultimately the problem boils down to limited oversight. The public sector doesn’t have the skills to apply the IT controls or the knowledge to appoint the right people with the skills to apply the controls needed. That is why controls are not in place in government,” said Goldstuck.
Dumisane Nkwamba, the spokesperson for the department of public service and administration, said his department was not ready to comment about the A-G’s findings.