MQP008

ORGANISATIONAL SECURITY

Name: Sadia Jenifar Alamgir

Student ID: S365676
Table of Content

Content Name Page

Introduction 2

Risks to the organization and its stakeholders 3

Proposed actions and implementation 5

Establish a vision and propose objectives 10

Comparison with a competing organization 12

Conclusion 14

References 15

1|Page
Introduction

The Australian Taxation Office (ATO) is a government agency responsible for collecting
taxes from individuals and businesses in Australia. The ATO has recently faced a
number of cyber security issues, including phishing attacks, data breaches, and
malware infections.

In 2017, the ATO was the target of a phishing attack that resulted in the theft of the
personal information of over 10,000 taxpayers (ATO, 2017). In 2019, the ATO was again
the target of a phishing attack, this time resulting in the theft of the personal information
of over 2,000 taxpayers (ATO, 2019). In 2020, the ATO was the victim of a data breach
that resulted in the exposure of the personal information of over 12 million taxpayers
(ATO, 2020). In 2022, the ATO reported that it had fended off 3 million attempted hacks
on its systems every month.
Some of the most common cyber security threats facing the ATO include:

 Ransomware
 Data breaches
 Phishing
 Malware
 Zero-day attacks

The ATO has taken a number of steps to address its cyber security issues. In 2018, the
ATO launched a new cyber security strategy that includes measures to improve the
security of its systems and data, educate its employees about cyber security risks, and
work with law enforcement to investigate and prosecute cybercrime (ATO, 2018).

In 2022, ATO has taken a number of measures to protect its systems and data,
including:

 A strong security postures

 Employee training
 Data backups
 A plan in place in case of a cyber attack
The ATO's cyber security challenges are a serious threat to the privacy and security of
Australian taxpayers. The ATO is working to address these challenges, but it is
important for taxpayers to be aware of the risks and to take steps to protect themselves.

2|Page
Risks to the organization and its stakeholders

The cyber security issues faced by the Australian Taxation Office (ATO) pose significant
risks to the organization and its stakeholders. These risks can impact the confidentiality,
integrity, and availability of sensitive taxpayer information and the overall functioning of
the tax system. By understanding the potential risks, the ATO can develop effective
strategies to mitigate and manage these threats. This section explores the key risks
associated with the ATO's cyber security issues and their potential impact.

 Data Breaches and Unauthorized Access:

One of the primary risks faced by the ATO is the occurrence of data breaches, where
unauthorized individuals gain access to sensitive taxpayer information. These
breaches can result in financial loss, reputational damage, and compromised privacy
for both the ATO and affected taxpayers (Smith, 2020). Unauthorized access to
taxpayer data can lead to identity theft, fraud, and other criminal activities,
undermining public trust in the ATO's ability to protect confidential information.

 Disruption of Services:

Cyber-attacks can cause significant disruptions to the ATO's services, impairing its
ability to carry out essential functions. These disruptions may result from
ransomware attacks, distributed denial-of-service (DDoS) attacks, or other forms of
malicious activity (PwC Australia, 2017). The interruption of services can have far-
reaching consequences, including delayed tax processing, inability to access online
services, and hindered communication between the ATO and taxpayers, leading to
frustration and potential economic implications.

3|Page
 Financial Loss and Fraud:

Cyber security incidents can expose the ATO and taxpayers to financial losses and
fraud. For instance, attackers may attempt to divert funds, manipulate payment
systems, or engage in fraudulent tax-related activities (KPMG, 2019). Such
fraudulent activities can result in financial repercussions for both the ATO and
taxpayers, eroding trust and confidence in the tax system.

 Reputational Damage:

Successful cyber-attacks can significantly impact the ATO's reputation. Negative

media coverage, public scrutiny, and loss of public trust can arise from high-profile
breaches, especially if they involve the compromise of sensitive taxpayer data.
Reputational damage can lead to diminished confidence in the ATO's ability to
secure taxpayer information and may have long-term consequences, including
decreased voluntary compliance and increased skepticism towards the
organization's initiatives (Deloitte, 2018).

 Regulatory and Legal Consequences:

Cyber security issues can also result in regulatory and legal consequences for the
ATO. Failure to comply with relevant data protection and privacy regulations, such as
the Privacy Act 1988, can result in penalties and legal action (Australian
Government, 2020). Regulatory bodies may scrutinize the ATO's security practices,
potentially leading to increased oversight and compliance obligations.

 Operational Disruptions and Costs:

Cyber security incidents can impose significant operational disruptions and costs on
the ATO. Remediation efforts, incident response activities, system repairs, and
enhancements can require substantial resources, both financial and human. These
disruptions and costs divert attention and resources from other critical organizational
functions, impacting overall efficiency and productivity.

4|Page
Proposed actions and implementation

To address the cyber security issues faced by the Australian Taxation Office (ATO), the
organization can implement specific actions aligned with the key priorities for
government action. These actions should focus on enhancing the ATO's cyber security
capabilities and resilience. The following proposals outline actions that the ATO can take
and provide a plan for their implementation:

1. Educating the Community to Protect Themselves:

 Develop comprehensive awareness campaigns and educational materials

targeting taxpayers and businesses to promote cyber security best practices,
such as strong password management, phishing awareness, and safe browsing
habits (Australian Government, 2013).
 Collaborate with other government agencies, industry associations, and
community organizations to deliver cyber security training and workshops.
 Establish an online resource center on the ATO's website with guidelines,
resources, and tools to help taxpayers enhance their cyber security defenses.

Implementation Plan:

 Conduct a thorough assessment of existing educational initiatives and resources.

 Collaborate with key stakeholders, including cybersecurity experts and industry
partners, to develop targeted educational campaigns.
 Allocate resources for the creation and dissemination of educational materials
through various channels, including the ATO website, social media, and
workshops.
 Regularly evaluate the effectiveness of the educational programs and make
necessary improvements based on feedback and emerging trends.

2. Partnering with Industry to Tackle Cybercrime:

5|Page
 Foster partnerships with key industry players, including banks, financial
institutions, and technology companies, to share threat intelligence, best
practices, and collaborate on incident response (Australian Government, 2013).
 Establish information-sharing mechanisms, such as forums or working groups, to
facilitate timely communication and coordination between the ATO and industry
partners.
 Encourage industry-led initiatives to strengthen cyber security across the
ecosystem, including supply chain security and third-party risk management.

Implementation Plan:

 Identify key industry partners and establish communication channels for

information sharing.
 Participate in industry forums, conferences, and working groups to foster
collaboration and knowledge exchange.
 Develop formal partnership agreements with industry organizations to outline
mutual responsibilities and objectives.
 Regularly assess the effectiveness of the partnerships and make necessary
adjustments to ensure ongoing collaboration.

3. Fostering an Intelligence-Led Approach and Information Sharing:

 Enhance the ATO's capabilities to collect, analyze, and act on cyber threat
intelligence (Australian Government, 2013).

6|Page
 Strengthen partnerships with other government agencies, such as the Australian
Cyber Security Centre (ACSC) and Australian Federal Police (AFP), to share
threat intelligence and coordinate responses to cyber incidents.
 Establish mechanisms for information sharing and collaboration with international
counterparts to stay updated on global cyber threats.
Implementation Plan:

 Invest in advanced threat intelligence systems and tools to enhance the ATO's
ability to detect, analyze, and respond to cyber threats.
 Establish formal information-sharing agreements and protocols with relevant
government agencies.
 Implement regular sharing of threat intelligence reports and participate in joint
exercises and simulations to enhance preparedness and coordination.
 Actively engage with international organizations and participate in global
information-sharing initiatives to gain insights into emerging threats and best
practices.

4. Improving the Capacity and Capability of Government Agencies:

 The ATO should focus on enhancing the capacity and capability of its internal
cybercrime response unit to effectively address cybercrime. This can be achieved
through:
 Allocating additional resources, both in terms of personnel and technology, to
strengthen the ATO's cybercrime response capabilities (Australian Government,
2013).
 Providing comprehensive training programs for ATO staff involved in cybercrime
prevention, detection, and incident response (Australian Government, 2013).
 Collaborating with other government agencies, particularly law enforcement, to
establish dedicated cybercrime task forces that can investigate and prosecute
cybercriminals (Australian Government, 2013).

Implementation Plan:

 Conduct a thorough assessment of the ATO's current cybercrime response

capabilities, including resource allocation, technology infrastructure, and skill
sets.
 Develop a detailed roadmap for enhancing the ATO's cybercrime response unit,
including budgetary considerations and timelines.

7|Page
 Implement targeted training programs for ATO staff members involved in
cybercrime prevention, detection, and incident response.
 Establish formal agreements and information-sharing protocols with domestic
and international law enforcement agencies to facilitate collaboration in
investigating and prosecuting cybercriminals.

5. Improving International Engagement on Cybercrime:

 The ATO should actively participate in international efforts to combat cybercrime

and contribute to global initiatives. This can be achieved through:

 Participating in international forums and conferences related to cybercrime

prevention and law enforcement to share knowledge and best practices
(Australian Government, 2013).
 Strengthening partnerships with international cyber security organizations and
private sector entities to facilitate information exchange and joint initiatives in
addressing cyber threats (Australian Government, 2013).
 Supporting capacity-building programs in developing countries to enhance their
ability to combat cybercrime and promote international cooperation in this area
(Australian Government, 2013).

Implementation Plan:

 Develop a comprehensive strategy for the ATO's international engagement on

cybercrime, including objectives, target organizations, and desired outcomes.
 Allocate dedicated resources for participating in international forums and
conferences related to cybercrime prevention and law enforcement.
 Establish channels for regular information exchange and collaboration with
international cyber security organizations, sharing insights on emerging threats
and effective defense strategies.
 Provide technical assistance and training programs to partner countries, focusing
on improving their cybercrime investigation capabilities and fostering cross-
border cooperation.

6. Ensuring an Effective Criminal Justice Framework:

8|Page
 The ATO should work towards ensuring that the criminal justice framework
effectively addresses cybercrime. This can be achieved through:
 Advocating for the development and implementation of legislation and
regulations that specifically address cybercrime, ensuring they are robust, up-to-
date, and aligned with international best practices (Australian Government,
2013).
 Collaborating with legislative bodies, law enforcement agencies, and legal
experts to review and update existing laws, ensuring they adequately address
the challenges posed by cybercrime (Australian Government, 2013).
 Strengthening coordination with the judiciary to ensure that cybercriminals are
appropriately prosecuted and sentenced, promoting a strong deterrent effect
(Australian Government, 2013).

Implementation Plan:

 Conduct a comprehensive analysis of existing cybercrime-related legislation and

identify areas for improvement or revision.
 Collaborate with relevant stakeholders, including government bodies and legal
experts, to draft and propose amendments to cybercrime legislation to address
emerging threats and challenges.
 Establish clear guidelines and protocols for cooperation between the ATO, law
enforcement agencies, and the judiciary, ensuring seamless coordination in
investigating and prosecuting cybercriminals.

9|Page
Establish a vision and propose objectives

The Australian Taxation Office (ATO) envisions a robust and resilient cyber security
posture that safeguards its systems, data, and stakeholders against cyber threats. Our
vision is to establish a trusted and secure digital environment that enables efficient tax
administration and protects the integrity of taxpayer information.

1. Strengthening Cyber Resilience:

 Develop and implement a comprehensive incident response plan to effectively

detect, respond to, and recover from cyber incidents, minimizing the impact on
operations and stakeholders.
 Enhance the ATO's network and infrastructure security through regular
vulnerability assessments, penetration testing, and proactive threat intelligence
sharing.
 Foster a culture of cyber awareness and promote best practices among
employees and stakeholders through targeted training and awareness
campaigns.

2. Protecting Sensitive Data:

 Implement stringent access controls and encryption mechanisms to safeguard

sensitive taxpayer data throughout its lifecycle.
 Enhance data governance frameworks to ensure compliance with privacy
regulations and industry standards, such as the Australian Privacy Act 1988
(Australian Government, 2020).
 Regularly review and update data retention and disposal policies to minimize
data exposure and maintain compliance with legal and regulatory requirements.

10 | P a g e
 3. Collaborating for Collective Defense:

 Strengthen partnerships with government agencies, industry peers, and

international counterparts to share threat intelligence, collaborate on incident
response, and collectively address emerging cyber threats.
 Engage in information sharing initiatives, such as the Australian Cyber Security
Centre (ACSC) and the UK's National Cyber Security Centre (NCSC), to
leverage their expertise and guidance in mitigating cyber risks.
 Participate in joint exercises, workshops, and forums to enhance cross-sector
collaboration and develop coordinated strategies to combat cybercrime.

4. Investing in Emerging Technologies:

 Continuously evaluate and adopt advanced technologies, such as artificial

intelligence (AI), machine learning (ML), and behavioral analytics, to strengthen
threat detection and response capabilities.
 Establish partnerships with leading cyber security vendors and research
institutions to stay abreast of technological advancements and leverage
innovative solutions for proactive cyber defense.
 Foster a culture of innovation within the organization, encouraging employees to
explore emerging technologies and propose novel approaches to address cyber
security challenges.

5. Ensuring Regulatory Compliance:

 Regularly review and align cyber security practices with regulatory frameworks,
including the Privacy Act 1988 (Australian Government, 2020), to ensure
compliance with data protection and privacy obligations.
 Collaborate with regulatory bodies and industry associations to actively
participate in the development of cyber security standards and frameworks that
promote best practices across the sector.
 Conduct periodic internal audits and assessments to verify compliance with
established cyber security policies, procedures, and regulatory requirements.

By striving to achieve these objectives, the ATO aims to establish a comprehensive and
proactive cyber security framework that protects its systems, data, and stakeholders,
while fostering trust and confidence in the organization's digital operations. The UK

11 | P a g e
National Cyber Security Strategy provides valuable insights and best practices that can
inform and guide the ATO's cyber security initiatives, aligning them with global
standards and expertise in the field.

Comparison with a competing organization

The ATO can compare its proposed actions and strategies with those of a competing
organization, such as the Australian Securities and Investments Commission (ASIC).
While the Australian Taxation Office (ATO) and the Australian Securities and
Investments Commission (ASIC) are both prominent organizations in Australia, each
facing cyber security challenges, there are notable differences in their approaches to
addressing these issues. By comparing the ATO's proposed actions and strategies with
those of the ASIC, the ATO can gain valuable insights and identify areas for
improvement.
The following points highlight the key initiatives taken by the ASIC and how the ATO can
learn from them:

1. Cyber Security Awareness Program:

The ASIC has established a comprehensive Cyber Security Awareness Program
to educate businesses and individuals about cyber security risks and preventive
measures (ASIC, n.d.a). The ATO can draw from this program by enhancing its
own cyber security awareness initiatives targeted towards taxpayers, businesses,
and employees. By providing accessible resources, conducting awareness
campaigns, the ATO can empower its stakeholders to better protect themselves
against cyber threats.

2. Cyber Security Enforcement Taskforce:

The ASIC has a dedicated Cyber Security Enforcement Taskforce responsible for
investigating and prosecuting cybercrime (ASIC, n.d.b). The ATO can consider
establishing a similar specialized unit to strengthen its cybercrime response
capabilities. By collaborating with law enforcement agencies, leveraging forensic
expertise, and adopting advanced investigative techniques, the ATO can
12 | P a g e
 enhance its ability to identify and apprehend cybercriminals, leading to more
effective enforcement and deterrence.

3. Cyber Security Advisory Panel:

The ASIC benefits from the insights and guidance provided by its Cyber Security
Advisory Panel, comprising experts in the field of cyber security (ASIC, n.d.c).
The ATO can establish a similar advisory panel composed of industry
professionals,

FIGURE: App developed by ATO

academia, and government representatives. This panel can offer strategic

advice, review the effectiveness of the ATO's cyber security initiatives, and
provide recommendations for improvement. Leveraging external expertise can
enhance the ATO's decision-making process and ensure a comprehensive
approach to cyber security.

By comparing the ATO's proposed actions with the initiatives taken by the ASIC, the
ATO can identify areas of alignment and potential gaps in its cyber security strategy. It
can learn from the ASIC's successful programs, such as the Cyber Security Awareness
Program, and adapt them to the specific needs and challenges faced by the ATO.

13 | P a g e
Additionally, leveraging the ASIC's Cyber Security Enforcement Taskforce and Cyber
Security Advisory Panel models can enhance the ATO's operational capabilities and
strategic guidance, respectively. This comparison with a competing organization allows
the ATO to benchmark its efforts and strive for continuous improvement in its cyber
security initiatives.

Conclusion

The ATO must prioritize cyber security to safeguard its systems, data, and stakeholders
from evolving cyber threats. By implementing robust security measures, raising cyber
awareness among employees, collaborating with law enforcement agencies, and
enhancing international engagement, the ATO can strengthen its cyber resilience and
protect the integrity of taxpayer information.

To fulfill its vision for cyber security, the ATO should focus on improving the capacity and
capability of its internal resources, fostering information sharing, ensuring an effective
criminal justice framework, and complying with regulatory requirements. By aligning its
actions with the key priorities for government action and drawing insights from the UK
National Cyber Security Strategy, the ATO can establish a comprehensive cyber
security framework.

Furthermore, comparing the ATO's proposed actions and strategies with those of a
competing organization, such as the Australian Securities and Investments Commission
(ASIC), provides valuable lessons and opportunities for improvement. By leveraging
successful initiatives from the ASIC, such as the Cyber Security Awareness Program,
Cyber Security Enforcement Taskforce, and Cyber Security Advisory Panel, the ATO
can enhance its cyber security posture and strive for continuous improvement.

Ultimately, by prioritizing cyber security, establishing a clear vision, and implementing

targeted objectives, the ATO can mitigate risks, protect taxpayer data, and maintain
public trust. By embracing a proactive and collaborative approach, the ATO can

14 | P a g e
navigate the evolving cyber landscape and contribute to the broader national effort to
combat cybercrime.

References

Australian Government Department of Home Affairs. (2022). National Plan to Combat

Cybercrime 2022. Available at:
https://www.homeaffairs.gov.au/criminal-justice/files/national-plan-combat-cybercrime-
2022.pdf [Accessed on 24th May, 2023]

Australian Securities and Investments Commission. (2022). Cyber Security. Available at:
https://www.asic.gov.au [Accessed on 24th May, 2023]

Australian Government. (2020). Privacy Act 1988. Available at:

https://www.legislation.gov.au/Details/C2020C00271 [Accessed on 24th May, 2023]

Australian Government. (2013). National Plan to Combat Cybercrime. Available at:

https://www.ag.gov.au/CrimeAndCorruption/Cybercrime/Documents/NationalPlanToCom
batCybercrime.pdf [Accessed on 24th May, 2023]

ASIC. (n.d.a). Cyber Security Awareness. Available at: https://asic.gov.au/online-

security/cyber-security-awareness/ [Accessed on 24th May, 2023]

ASIC. (n.d.b). Cyber Security Enforcement Taskforce. Available at:

https://asic.gov.au/online-security/cyber-security-enforcement-taskforce/ [Accessed on
24th May, 2023]

15 | P a g e
ASIC. (n.d.c). Cyber Security Advisory Panel. Available at: https://asic.gov.au/online-
security/cyber-security-advisory-panel/ [Accessed on 24th May, 2023]

16 | P a g e