Report 28

Malware in the WA State Government

Audit conclusion

Malware is a constant threat for agencies. All 6 agency networks experienced numerous attempted attacks and malware downloads.

We did not observe a substantial number of ongoing malware infections, which indicated that the 6 agencies generally deal with malware they or their systems identify. However, the infections that were active constituted a serious threat to the agency networks.

All agencies experienced attacks that were able to defeat at least 1 security control or technology. This highlights the need for agencies to employ layered controls with constant monitoring and improvement. The layering of controls is a ‘defence in depth’ approach to cybersecurity.

The control failures we identified were consistent with the findings in our annual Information Systems Audit Reports. The findings illustrated yet again the importance agencies should place on ensuring that often basic, easy to implement controls are in place and operating effectively. But, the evolving malware threat also requires agencies to be constantly improving their security processes, and upgrading to more advanced security tools to further strengthen their networks.

The audit highlighted a need for the WA public sector to have a coordinated approach to the management of cyberthreats. At the time of our audit, there were no statewide requirements for cybersecurity and anti-malware controls. Each agency has to carry the full cost of planning for and guarding against malware threats as there are no official forums for collaboration, sharing of advice, resources and experiences.

Page last updated: December 7, 2016

Back to Top