The ICT disaster recovery systems of Victorian Government agencies are archaic, obsolete and largely ineffective.

A Victorian Auditor-General’s Report on ICT Disaster Recovery Planning has found that five government agencies do not have the necessary systems in place to recover from a disruption, leaving them exposed to cyber attacks.

“None of the agencies’ disaster recovery processes are robust enough to effectively and efficiently recover all critical systems in the event of a disruption,” the audit office said.

“They do not have sufficient and necessary processes to identify, plan and recover their systems following a disruption. Compounding this is the relatively high number of obsolete ICT systems all agencies are still using to deliver some of their critical business functions.

“These circumstances place critical business functions and the continued delivery of public services at an unacceptably high risk should a disruption occur.”

With government systems now operating almost completely digitally, the risk of these systems being disrupted due to a cyber attack or natural disaster now brings with it enormous social and financial implications.

The audit assessed each agencies’ business impact analysis (BIA) processes against the globally recognised COBIT Process Assessment Model: Using COBIT 5, 2013.

Of the five agencies audited it was revealed that Victoria Police and the Department of Economic Development, Jobs, Transport and Resources (DEDJTR) were the most vulnerable.

Victoria Police revealed particularly concerning results.

Of its 24 critical system, only three have disaster recovery plans, while 19 (79%) of these systems were shown to be obsolete.

These vulnerabilities leave sensitive records such as the Attendance and Custody system for custody management exposed.

“Victoria Police’s disaster recovery processes are not robust enough to effectively and efficiently recover all critical systems after a disruption. The agency currently only has capability to recover selected critical systems,” the audit said.

“Victoria Police has not effectively managed the risk of system obsolescence, as shown by the high percentage of its critical systems that are obsolete.”

The Department of Health and Human Services (DHHS) systems also revealed endemic weaknesses, with the report finding it had not performed audits on its disaster recovery program and processes in the past five years.

It also highlighted that the decentralisation of their business units on determining disaster recovery requirements had negatively impacted disaster recovery abilities.

Remembering WannaCry

The dangers of poor ICT disaster recovery systems in healthcare were exposed during the global WannaCry attacks in early May.

The ransomware hit computers worldwide, however UK hospitals were one of the worst affected by the attacks.

Up to 70,000 devices on the National Health Service (NHS) were affected, including MRI scanners, causing some hospitals to cancel all non-urgent surgeries and X-ray appointments.

Although the incident did not lead to any deaths, it highlighted the real-world impacts ICT disasters can have and the need for fast and effective recovery.

Recommendations

The good news for the Victorian Government is that the audit put forward 15 recommendations to help the Victorian government improve their disaster recovery capabilities.

The main recommendation? Be prepared.

It urged the five government agencies, “appoint a team of suitably qualified and experienced professionals to form a collaborative disaster recovery working group.”

It also urged them to develop adequate disaster recovery plans and provide advice and training to staff on specific disaster recovery systems.