Bridging the essential awareness gap to protect the APS

With recent reports indicating the Australian Public Service’s cybersecurity has been deemed inadequate, the Australian Cyber Security Centre has been prompted to mobilise its technical expertise to bolster the government’s IT program.

Cybersecurity Minister Clare O’Neil has acknowledged Australia’s cybersecurity shortcomings and emphasised the need for improvement. Describing the 2022 Medibank hack as “the single most devastating cyber attack that we have experienced as a nation”, O’Neil stressed the importance of protecting government networks from similar breaches.

Public sector cyber attacks have far-reaching consequences. Ensuring protection is not only a matter of safeguarding sensitive information but also of maintaining the integrity and functionality of essential services.

The Australian Signals Directorate (ASD) drafted the Essential Eight as a measure designed to outline strategies for mitigating cyber threats and enhancing the resilience of organisations. These strategies encompass a range of technical and non-technical measures, including multi-factor authentication, application controls and regular backups. The framework is designed to be adaptable to different organisational contexts and provides a solid foundation for cybersecurity best practices.

Despite its establishment as a fundamental cybersecurity framework, however, a recent report into the cyber resilience of organisations in Australia and New Zealand sheds light on the surprising lack of awareness surrounding the Essential Eight. The report indicates that only 37% of respondents are aware of this crucial framework, identifying a substantial gap in cybersecurity knowledge across various organisational levels.

One of the most striking findings of the survey is the low awareness among senior management and those for whom cybersecurity is a part of their role, with 63% unaware or uncertain about the Essential Eight.

Despite the low awareness levels, there are promising signs of progress. Among those familiar with the Essential Eight, there is a significant trend towards compliance and implementation. Impressively, 83% of respondents aware of the framework require IT suppliers to comply with it, while 71% have already integrated it within their organisations. This highlights the potential for enhanced cybersecurity posture if awareness is elevated across the board.

One key takeaway from the survey is the importance of compliance as a driver for implementing the Essential Eight. The majority of organisations that have implemented the framework cite compliance requirements as a primary motivator. While compliance is an important factor, organisations should also recognise the broader benefits of the Essential Eight in enhancing overall cyber resilience and protecting against a wide range of cyber threats.

Moving forward, there are several steps that organisations can take to raise awareness and promote the implementation of the Essential Eight framework. First and foremost, they should prioritise cybersecurity education and training for all employees, with a particular focus on senior management and decision-makers. By ensuring that all stakeholders understand the importance of strengthened posture through the framework, organisations can create a culture of cyber resilience that is embedded throughout the organisation.

Threats to an organisation’s cybersecurity — and methods to mitigate these threats — is a concern in need of action from the top down, and is necessary within every organisation, regardless of size.

Secondly, organisations should leverage industry partnerships and collaborations to promote the adoption of the Essential Eight. It’s critical they enhance information sharing and collaboration. This means fostering trust through the exchange of information among governments, industry peers, experts and think tanks to share resources, best practices and lessons learned, creating a more robust cybersecurity ecosystem.

Finally, organisations should continue to monitor and evaluate their cybersecurity practices to ensure they are aligned with the latest threats and vulnerabilities. With the threat landscape evolving so rapidly, organisations must remain vigilant in adapting their strategies to address new and emerging threats.

Despite the progress made in terms of awareness, it is clear there are still challenges that lie ahead which cannot be addressed without bridging the gap in awareness.

*Vinayak Sreedhar is Australian Country Manager for IT security operations and service management company ManageEngine.

Top image credit: iStock.com/Andreus