The Western Australian government has announced it will sink AU$1.8 million to establish a whole-of-government cybersecurity operations centre.
To be managed by the Department of Premier and Cabinet’s Office of Digital Government, the centre will provide further support to existing cybersecurity efforts across government and the dedicated cybersecurity team within the Office of Digital Government.
Western Australian Innovation and ICT Minister Dave Kelly has labelled it a first for the state.
“During COVID-19, we’ve seen a rise in malicious cyber activity in terms of frequency, scale, and sophistication … the new operations centre will provide unprecedented visibility of threats against agencies’ networks, as well as improve the state government’s ability to coordinate and respond to cybersecurity threats against our systems,” he said.
Kelly added how the centre would also be an additional avenue for cybersecurity TAFE and university students who participate in the Office of Digital Government’s work-integrated learning program.
Earlier this month, the state’s Office of Digital Government signed a memorandum of understanding with Microsoft to see both deliver cybersecurity capabilities for the public sector and collaborate on initiatives to identify and eliminate cybercrime.
These initiatives follow revelations from a recent audit that even after 12 years, many entities within the government failed to meet the benchmark for minimum practice when it came to information security, business continuity, management of IT risks, IT operations, change control, and physical security.
See also: How to become a cybersecurity pro: A cheat sheet (TechRepublic)
The audit found only 15 entities met the benchmark in 2019, compared to 13 in 2018. The results echoed many of the concerns highlighted in previous years.
The number of entities that met the benchmark for information security increased from 47% to 57% in 2019.
“However, a large number of entities are still not managing this area effectively,” the report said.
Weaknesses found included inadequate or out-of-date information security policies; no reviews of highly privileged access to applications, databases, and networks; a lack of processes to identify and patch security vulnerabilities within IT infrastructure; no information security awareness programs for staff; a lack of staff training and development in information security; a lack of information classification policy or procedures; and weak password controls without multi-factor authentication.