One of the biggest questions raised by this study has been whether the smaller states and territories - with the smallest budgets - should be expected to achieve the same standard of data protection as their larger and richer counterparts.
Almost unanimously, infosec experts consulted by iTnews said yes.
One framed it thus: all governments have a police force or a health department, all police forces hold secret data on covert informants, all governments hold data that - if released - could put someone’s life at risk.
Another asked how it would be conscionable to expect a citizen in a smaller state to put up with a lower standard of protection than their friends larger states?
These are all messages that agency heads in the Tasmanian government would do well to listen to carefully.
Earlier this year the state’s auditor-general conducted an assessment of the cyber defences of four of Tasmania’s biggest agencies against the ASD’s top four cyber attack mitigation strategies.
But Secretary of the Department of Primary Industries, Parks, Water and Environment, John Whittington, decried the very premise of holding Tasmanian agencies up to the ASD top four - which he called “the gold standard” of cyber security.
He argued applying the standard would increase the cost of IT implementation and administration with little or no benefit compared to the risk. His comments were backed up by other agency chiefs.
Regardless, what the Tasmanian auditor found should worry everyone who lives in the apple isle, and relies on its water infrastructure, natural resources, police and hospitals on a daily basis
The review found Whittington’s department located one of its server rooms in a makeshift, shoddily constructed building. Another was only protected by the same swipe card access as the rest of the building.
Firewalls were only activated in some areas of the organisation, and administrator privileges were handed out to staff on an ad-hoc basis.
With little to no self-reflection, the secretary told the auditor “we were informed that there had been no need for a specific incident recording and management system as there had been no security breaches in the last few years".
In the health department the audit team found 2000 live accounts for staff members who appeared to have left the agency a year or more ago. Police desktops sat inactive for a full hour before they were automatically set to lock.
In March, the Department of Premier and Cabinet told the audit team it was reviewing the state’s out-of-date information security manual and expected to issue revised guidance in Q3 2015.
This has since been pushed back to sometime in the first half of 2016, according to a spokesperson.
Sadly, Tasmania is a case study in what happens when a government believes it is small enough to fall through the gaps.