Information security measures are critical to ensure that government information systems are not vulnerable to cyberattacks and to prevent internal staff from performing system activities for which they are not authorised.
In the last year, government departments and entities experienced a drastic increase in cyberattacks, which had an adverse impact on these auditees. We identified 164 auditees (81%) out of 201 with ineffective security controls. At some of these auditees, the security controls had regressed over the past year. The following concerns were widespread at most of the auditees:
- Inadequate settings on the network components facing the external environment or that could be accessed from the internet
- Systems that were running on outdated operating systems that were no longer supported by their respective suppliers – this means that the latest security updates were not applied
- Systems that were running on aging infrastructure or hardware that was vulnerable to known security flaws and could not be upgraded with the latest software
- Systems where the latest software patches were not applied as soon as they became available to resolve known security flaws, making the environment vulnerable to attacks
Hackers do not require complex techniques to take advantage of these security weaknesses.
Hackers were successful in exploiting the security weaknesses at some of the auditees that we rated as weak. This resulted in some key government services not being available for a prolonged period and, in some cases, hackers using ransomware for financial gain.
Information security governance is a component of IT governance, and accounting officers and authorities have not fulfilled their responsibility in this regard.
For security reasons, we cannot name the government departments and entities that are most vulnerable to this threat. At the following auditees, the security weaknesses were successfully exploited during the last two years and the information is already in the public domain:
- The IT systems of the Department of Justice and Constitutional Development were hacked in September 2021.
- The Ithala Development Finance Corporation and Ithala SOC Limited experienced ransomware attacks in February 2021, affecting public-facing online platforms.
- Transnet suffered a security intrusion cyberattack in July 2021. According to Transnet, the Port Terminals division was among those severely hit.
- The South African Police Service and National Treasury networks were disrupted, caused by cable vandalism in September 2021.
- The website of the Department of Higher Education was hacked in March 2020.
- The Mpumalanga Department of Economic Development and Tourism was hit by ransomware.
- The South African Civil Aviation Authority experienced a security breach in February 2020, targeting email systems and accounts.
BACK TO TOP