Government agencies' security posture still lagging

Federal government agencies are still failing to fully implement the Australian Signals Directorate's Essential Eight threat mitigation strategies.

In a new report into the federal government's cybersecurity posture, the Australian Cyber Security Centre has evaluated the results of a survey exploring the security posture of major Commonwealth entities.

None of the 25 non-corporate Commonwealth entities assessed for the annual study had achieved recommended maturity level in terms of the Essential Eight threat mitigation strategies, the report found.

Nearly three-quarters of these entities reported only ad hoc or developing levels of maturity, and only 2% self-reported being at the highest level of embedded cybersecurity maturity.

Around 67% of agencies acknowledged the need to raise the maturity level of their cybersecurity and improve compliance with the Essential Eight strategies, including the mandatory Top Four.

Common issues faced by agencies include inadequate visibility of their information systems and data holdings, obsolete or unsupported operating systems and other software, ineffective risk management practices and a misunderstanding of the Essential Eight strategies.

But the report states that all agencies are taking steps to improve their internal cybersecurity culture.

Commonwealth entities demonstrated improvements in areas such as cybersecurity training, vulnerability scanning capabilities and implementing more secure controls across their systems such as enterprise-grade password managers.

As a result, between 2018 and 2019, 50% more Commonwealth entities have progressed from partly to mostly aligned with the Essential Eight strategies.

The proportion of assessed entities adopting Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance protocols to combat fraudulent emails grew from just 4.5% and 22.5% respectively in December 2018 to 40.5% and 55.5% in February 2020.

Meanwhile, the proportion of entities with no visibility into how many cybersecurity events they face per day fell from over 50% in 2018 to just 10% in 2019.

Also in 2019, the majority of respondents reported facing hundreds of cybersecurity events or incidents per day.

The report also states that the ACSC responded to 427 cybersecurity incidents that affected Commonwealth entities in 2019, of which 65% were self-reported by the affected agencies.

Of the 427 incidents, 36% were reports of suspected or confirmed indicators of compromise, 18% involved malicious email and 14% involved unauthorised scanning of network ports or brute force password attacks.

A further 14% involved data exposure, theft or leak, 8% involved compromised systems and 3% were DoS attacks. The remaining 7% were miscellaneous incidents such as domain squatting and domain spoofing.

Image credit: ©stock.adobe.com/au/Brian Jackson