A parliamentary committee has heard the Australian Taxation Office is still months away from having a core set of cyber security checks in place.
The tax office won’t have mandated security checks in place against external cyber threats until November, a committee has heard.
An audit of the Australian Taxation Office, which also looked at other departments, found it had a “reasonable” level of cyber protection from within the organisation.
But it was not sufficiently protected against external attacks.
The ATO collects more than $440 billion in tax revenue each year through its electronic lodgement system.
ATO officials told parliament’s audit committee in a hearing in Canberra on Friday the organisation was expected to meet the Australian Signals Directorate’s mandatory “top four” strategies to mitigate cyber intrusions by November.
However, it was having problems with a number of computer servers and facing the busy “tax time” period.
The committee heard the ATO was only “starting planning” to meet a broader set of protections, known as the ASD’s “essential eight”.
The top four strategies are said by the intelligence agency to prevent more than 85 per cent of cyber intrusions.
Immigration department chief information officer Randall Brugeaud could not say when the top four would be met by his department.
The prime minister’s cyber security advisor Alastair MacGibbon told the committee the top four were not easy to achieve, “but should be done”.
He said Department of Prime Minister and Cabinet secretary Martin Parkinson, who chairs the government’s cyber security board, wanted all departments and agencies to achieve the recommended protections “rapidly”.
“There is a really strong ambition on the part of the government to improve the resilience of systems,” he said.