How agencies can uplift their information security
A number of recent reports have highlighted the need for the government to uplift its own cybersecurity. The Protective Security Policy Framework (PSPF) Assessment Report 2020–21, which analyses self-assessment reports from 97 non-corporate Commonwealth entities, found that 82% had only reached an ‘ad hoc’ or ‘developing’ maturity in information security.
Hot on the heels of this report, the Cyber Security Industry Advisory Committee released its Annual Report, calling for acceleration and improvement in the hardening of government IT. It notes that given the number of initiatives under the strategy targeted at industry, it is important for the government to take a strong leadership position in relation to hardening its own systems.
The backdrop of these reports is the growing frequency, scale and sophistication of cyber attacks. The Australian Cyber Security Centre (ACSC) found cybersecurity incidents increased 13% in the 2020–21 financial year, and highlighted an increasing trend of data theft and encryption, mainly due to the growth and evolution of ransomware. More recently the Office of the Australian Information Commissioner (OAIC) found data breaches had increased 6% in the July to December 2021 period (compared to the previous six months), with malicious or criminal attacks being the leading source (55%).
These statistics highlight that data is as valuable to cybercriminals as it is to businesses and governments. Therefore, the security of citizen and other sensitive data must be a priority when uplifting the cybersecurity of government agencies and other organisations.
However, data security is a complex challenge. Data is a plentiful resource that is multiplying exponentially, making it hard to track and secure. Research has shown that many organisations — especially those with hybrid environments across both cloud and legacy on-premises data repositories — simply don’t know where all of their sensitive data resides, or how to find, access or control that data.
For agencies looking to improve their cybersecurity, they first need to solve this challenge. Here are the steps to do so.
1. Know what data you have, and where, in real time
Before an organisation can secure the data they hold, they first need to know exactly what data they hold, where it’s located and its context. This step is clearly articulated in Policy Eight of the government’s PSPF, which requires agencies to be able to identify information holdings, assess the sensitivity and security classification of information holdings, and implement operational controls for these information holdings proportional to their value, importance and sensitivity.
However, digital transformation means that agencies today are creating and collecting a large volume of data on a daily basis. This data comes in many forms and is stored in various places. This ‘data sprawl’ has contributed to the fact that only 57% of agencies have fully implemented this requirement. The rest have assessed themselves as ‘developing’ maturity or lower.
To improve this, government agencies need to conduct a data discovery exercise to identify all data repositories of all data types, across all environments. Without such a discovery exercise, an agency could be holding masses of unknown data, which then can’t be properly secured.
2. Control who can access the data
Once an agency has determined where all its sensitive data is, the next requirement outlined in the PSPF is to ensure appropriate access to that data. Currently 23% of agencies are still at the ‘developing’ stage of this requirement.
Controlling access is the single best protection for any resource. Overly permissive user entitlements are fertile ground for data breaches. Therefore, it is important that agencies have visibility into current user entitlements across the entire data estate, apply least privilege access and put strong authentication mechanisms in place. While managed database services provide some access control, it is a better practice for each organisation to apply granular access that is integrated with agency policies and access management solutions. Policies that limit the amount of data that can be downloaded are also highly recommended. This will minimise the risk of malicious insiders and external threat actors gaining access to data via privileged accounts.
3. Protect the data
Once an agency knows what data it has and is controlling access to it, it needs to mitigate common cyber threats to the data, as outlined in Policy 10 in the PSPF. Unfortunately, this is the area where agencies are struggling the most, with 72% of entities at the ‘developing’ stage or lower.
The ideal scenario is a ‘layered’ security model where malicious actors must pass through multiple gates in order to execute an attack, without introducing latency or jeopardising essential processes.
Often, the biggest potential is in leveraging existing data protection systems that are ‘lying around’ or are not used consistently throughout the organisation. Agencies should review the data protection measures already in place, assessing how effective they are and which can be extended to protect all sensitive data.
Another good protection mechanism is data masking, especially for data used in non-production environments such as development, testing, research and analytics, and outsourcing. This mitigates data risk while still providing a realistic alternative for development and test simulations.
These practices, combined with the implementation of security products like web application and API protection (WAAP) and the adoption of good security practices like frequent patching, can help avoid a data breach.
4. Monitor the data
This last step is arguably the most critical, but also the one that is most overlooked.
When it comes to cybersecurity, there are no guarantees. Even the most security-conscious organisations fall prey to cyber attacks. Therefore, it is important for agencies to acknowledge that all the protections you put in place will serve as mere speed bumps to a motivated attacker. The backstop to this is detection and alerting.
By continuously monitoring your data stores for non-compliant, risky or malicious data access behaviour, agencies can ensure they track and block data attacks and abnormal access requests in real time. This tracking data, which shows who accessed what data when, can also expedite forensic-level investigations into the details of any security incident, and be valuable in fulfilling reporting obligations.
The hardening of government IT is an important priority. It will be essential for achieving the government’s goals of improving national security, being a global leader in digital government and enabling a data-driven society. Significant progress can be made if agencies start with a pragmatic program to discover, protect, control and monitor sensitive data as a way to improve their cybersecurity posture.
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...