Professional Documents
Culture Documents
ORGANISATIONAL SECURITY
Introduction 2
Conclusion 14
References 15
1|Page
Introduction
The Australian Taxation Office (ATO) is a government agency responsible for collecting
taxes from individuals and businesses in Australia. The ATO has recently faced a
number of cyber security issues, including phishing attacks, data breaches, and
malware infections.
In 2017, the ATO was the target of a phishing attack that resulted in the theft of the
personal information of over 10,000 taxpayers (ATO, 2017). In 2019, the ATO was again
the target of a phishing attack, this time resulting in the theft of the personal information
of over 2,000 taxpayers (ATO, 2019). In 2020, the ATO was the victim of a data breach
that resulted in the exposure of the personal information of over 12 million taxpayers
(ATO, 2020). In 2022, the ATO reported that it had fended off 3 million attempted hacks
on its systems every month.
Some of the most common cyber security threats facing the ATO include:
Ransomware
Data breaches
Phishing
Malware
Zero-day attacks
The ATO has taken a number of steps to address its cyber security issues. In 2018, the
ATO launched a new cyber security strategy that includes measures to improve the
security of its systems and data, educate its employees about cyber security risks, and
work with law enforcement to investigate and prosecute cybercrime (ATO, 2018).
In 2022, ATO has taken a number of measures to protect its systems and data,
including:
2|Page
Risks to the organization and its stakeholders
The cyber security issues faced by the Australian Taxation Office (ATO) pose significant
risks to the organization and its stakeholders. These risks can impact the confidentiality,
integrity, and availability of sensitive taxpayer information and the overall functioning of
the tax system. By understanding the potential risks, the ATO can develop effective
strategies to mitigate and manage these threats. This section explores the key risks
associated with the ATO's cyber security issues and their potential impact.
One of the primary risks faced by the ATO is the occurrence of data breaches, where
unauthorized individuals gain access to sensitive taxpayer information. These
breaches can result in financial loss, reputational damage, and compromised privacy
for both the ATO and affected taxpayers (Smith, 2020). Unauthorized access to
taxpayer data can lead to identity theft, fraud, and other criminal activities,
undermining public trust in the ATO's ability to protect confidential information.
Disruption of Services:
Cyber-attacks can cause significant disruptions to the ATO's services, impairing its
ability to carry out essential functions. These disruptions may result from
ransomware attacks, distributed denial-of-service (DDoS) attacks, or other forms of
malicious activity (PwC Australia, 2017). The interruption of services can have far-
reaching consequences, including delayed tax processing, inability to access online
services, and hindered communication between the ATO and taxpayers, leading to
frustration and potential economic implications.
3|Page
Financial Loss and Fraud:
Cyber security incidents can expose the ATO and taxpayers to financial losses and
fraud. For instance, attackers may attempt to divert funds, manipulate payment
systems, or engage in fraudulent tax-related activities (KPMG, 2019). Such
fraudulent activities can result in financial repercussions for both the ATO and
taxpayers, eroding trust and confidence in the tax system.
Reputational Damage:
Cyber security issues can also result in regulatory and legal consequences for the
ATO. Failure to comply with relevant data protection and privacy regulations, such as
the Privacy Act 1988, can result in penalties and legal action (Australian
Government, 2020). Regulatory bodies may scrutinize the ATO's security practices,
potentially leading to increased oversight and compliance obligations.
Cyber security incidents can impose significant operational disruptions and costs on
the ATO. Remediation efforts, incident response activities, system repairs, and
enhancements can require substantial resources, both financial and human. These
disruptions and costs divert attention and resources from other critical organizational
functions, impacting overall efficiency and productivity.
4|Page
Proposed actions and implementation
To address the cyber security issues faced by the Australian Taxation Office (ATO), the
organization can implement specific actions aligned with the key priorities for
government action. These actions should focus on enhancing the ATO's cyber security
capabilities and resilience. The following proposals outline actions that the ATO can take
and provide a plan for their implementation:
Implementation Plan:
5|Page
Foster partnerships with key industry players, including banks, financial
institutions, and technology companies, to share threat intelligence, best
practices, and collaborate on incident response (Australian Government, 2013).
Establish information-sharing mechanisms, such as forums or working groups, to
facilitate timely communication and coordination between the ATO and industry
partners.
Encourage industry-led initiatives to strengthen cyber security across the
ecosystem, including supply chain security and third-party risk management.
Implementation Plan:
Enhance the ATO's capabilities to collect, analyze, and act on cyber threat
intelligence (Australian Government, 2013).
6|Page
Strengthen partnerships with other government agencies, such as the Australian
Cyber Security Centre (ACSC) and Australian Federal Police (AFP), to share
threat intelligence and coordinate responses to cyber incidents.
Establish mechanisms for information sharing and collaboration with international
counterparts to stay updated on global cyber threats.
Implementation Plan:
Invest in advanced threat intelligence systems and tools to enhance the ATO's
ability to detect, analyze, and respond to cyber threats.
Establish formal information-sharing agreements and protocols with relevant
government agencies.
Implement regular sharing of threat intelligence reports and participate in joint
exercises and simulations to enhance preparedness and coordination.
Actively engage with international organizations and participate in global
information-sharing initiatives to gain insights into emerging threats and best
practices.
The ATO should focus on enhancing the capacity and capability of its internal
cybercrime response unit to effectively address cybercrime. This can be achieved
through:
Allocating additional resources, both in terms of personnel and technology, to
strengthen the ATO's cybercrime response capabilities (Australian Government,
2013).
Providing comprehensive training programs for ATO staff involved in cybercrime
prevention, detection, and incident response (Australian Government, 2013).
Collaborating with other government agencies, particularly law enforcement, to
establish dedicated cybercrime task forces that can investigate and prosecute
cybercriminals (Australian Government, 2013).
Implementation Plan:
7|Page
Implement targeted training programs for ATO staff members involved in
cybercrime prevention, detection, and incident response.
Establish formal agreements and information-sharing protocols with domestic
and international law enforcement agencies to facilitate collaboration in
investigating and prosecuting cybercriminals.
Implementation Plan:
8|Page
The ATO should work towards ensuring that the criminal justice framework
effectively addresses cybercrime. This can be achieved through:
Advocating for the development and implementation of legislation and
regulations that specifically address cybercrime, ensuring they are robust, up-to-
date, and aligned with international best practices (Australian Government,
2013).
Collaborating with legislative bodies, law enforcement agencies, and legal
experts to review and update existing laws, ensuring they adequately address
the challenges posed by cybercrime (Australian Government, 2013).
Strengthening coordination with the judiciary to ensure that cybercriminals are
appropriately prosecuted and sentenced, promoting a strong deterrent effect
(Australian Government, 2013).
Implementation Plan:
9|Page
Establish a vision and propose objectives
The Australian Taxation Office (ATO) envisions a robust and resilient cyber security
posture that safeguards its systems, data, and stakeholders against cyber threats. Our
vision is to establish a trusted and secure digital environment that enables efficient tax
administration and protects the integrity of taxpayer information.
10 | P a g e
3. Collaborating for Collective Defense:
Regularly review and align cyber security practices with regulatory frameworks,
including the Privacy Act 1988 (Australian Government, 2020), to ensure
compliance with data protection and privacy obligations.
Collaborate with regulatory bodies and industry associations to actively
participate in the development of cyber security standards and frameworks that
promote best practices across the sector.
Conduct periodic internal audits and assessments to verify compliance with
established cyber security policies, procedures, and regulatory requirements.
By striving to achieve these objectives, the ATO aims to establish a comprehensive and
proactive cyber security framework that protects its systems, data, and stakeholders,
while fostering trust and confidence in the organization's digital operations. The UK
11 | P a g e
National Cyber Security Strategy provides valuable insights and best practices that can
inform and guide the ATO's cyber security initiatives, aligning them with global
standards and expertise in the field.
The ATO can compare its proposed actions and strategies with those of a competing
organization, such as the Australian Securities and Investments Commission (ASIC).
While the Australian Taxation Office (ATO) and the Australian Securities and
Investments Commission (ASIC) are both prominent organizations in Australia, each
facing cyber security challenges, there are notable differences in their approaches to
addressing these issues. By comparing the ATO's proposed actions and strategies with
those of the ASIC, the ATO can gain valuable insights and identify areas for
improvement.
The following points highlight the key initiatives taken by the ASIC and how the ATO can
learn from them:
By comparing the ATO's proposed actions with the initiatives taken by the ASIC, the
ATO can identify areas of alignment and potential gaps in its cyber security strategy. It
can learn from the ASIC's successful programs, such as the Cyber Security Awareness
Program, and adapt them to the specific needs and challenges faced by the ATO.
13 | P a g e
Additionally, leveraging the ASIC's Cyber Security Enforcement Taskforce and Cyber
Security Advisory Panel models can enhance the ATO's operational capabilities and
strategic guidance, respectively. This comparison with a competing organization allows
the ATO to benchmark its efforts and strive for continuous improvement in its cyber
security initiatives.
Conclusion
The ATO must prioritize cyber security to safeguard its systems, data, and stakeholders
from evolving cyber threats. By implementing robust security measures, raising cyber
awareness among employees, collaborating with law enforcement agencies, and
enhancing international engagement, the ATO can strengthen its cyber resilience and
protect the integrity of taxpayer information.
To fulfill its vision for cyber security, the ATO should focus on improving the capacity and
capability of its internal resources, fostering information sharing, ensuring an effective
criminal justice framework, and complying with regulatory requirements. By aligning its
actions with the key priorities for government action and drawing insights from the UK
National Cyber Security Strategy, the ATO can establish a comprehensive cyber
security framework.
Furthermore, comparing the ATO's proposed actions and strategies with those of a
competing organization, such as the Australian Securities and Investments Commission
(ASIC), provides valuable lessons and opportunities for improvement. By leveraging
successful initiatives from the ASIC, such as the Cyber Security Awareness Program,
Cyber Security Enforcement Taskforce, and Cyber Security Advisory Panel, the ATO
can enhance its cyber security posture and strive for continuous improvement.
14 | P a g e
navigate the evolving cyber landscape and contribute to the broader national effort to
combat cybercrime.
References
Australian Securities and Investments Commission. (2022). Cyber Security. Available at:
https://www.asic.gov.au [Accessed on 24th May, 2023]
15 | P a g e
ASIC. (n.d.c). Cyber Security Advisory Panel. Available at: https://asic.gov.au/online-
security/cyber-security-advisory-panel/ [Accessed on 24th May, 2023]
16 | P a g e