Some agencies unprepared for a significant cyber incident: ANAO

A recent performance audit report by the Australian National Audit Office (ANAO), titled ‘Management of Cyber Security Incidents’, found that Services Australia and financial crime watchdog AUSTRAC were unprepared for “a significant or reportable cybersecurity incident”.

The independent audit of the two agencies found both had “partly effective” arrangements for managing cybersecurity incidents, but neither was well placed “to ensure business continuity or disaster recovery” following a major cyber breach.

Australian government entities are considered attractive, high-value targets for a range of malicious cybercriminals because they hold Australians’ financial and personal data, the Auditor-General’s office said. Almost a third of cybersecurity incidents reported to Australia’s cyber intelligence agency the Australian Signals Directorate (ASD) in 2022–23 involved government bodies.

The ANAO said its previous audits of government entities had also found “low levels of cyber resilience”.

Its report on Services Australia and AUSTRAC pointed to the importance of government agencies continually enhancing their cyber protections, as new technologies increase “the number of possible entry or weak points that malicious cyber actors can exploit”.

Opportunities to improve at Services Australia

The audit found Services Australia did not have a documented approach to threat assessments, a policy for managing security incidents, a timeline for response escalation or a defined approach for investigations.

It found the agency had, however, established an incident response plan, including procedures for managing data spills and malicious code infections. Data spills occur when private information is accidentally or deliberately exposed.

Services Australia was also found to have implemented solutions for monitoring and prioritising incident alerts, as well as for making disaster recovery plans and regular data backups. However, the Auditor-General found these recovery plans did not include all of Services Australia’s systems and processes, and the recoverability of its backups was not being tested.

The Auditor-General made 10 recommendations for ways Services Australia could strengthen its security, all of which were accepted by the agency.

The recommendations included establishing a Cyber Security Incident Management Policy, or including such incidents in its existing incident policy. Continuous reporting to the agency’s management was also urged, as well as stronger policies for digital preservation and data backups.

Services Australia CEO David Hazlehurst, in a May letter to the Auditor-General’s office released on 14 June, said he recognised “opportunities to improve our processes and procedures”.

“The agency takes its responsibility to safeguard the personal information and data of its customers very seriously, as well as the need to ensure continuity of the essential services and payments that the agency provides,” he said.

AUSTRAC urged to improve reporting and backups

The Auditor-General’s report found AUSTRAC also did not have procedures for testing its data backup systems to make sure they worked well for disaster recovery processes.

AUSTRAC said it did not perform complete system disaster testing “due to the size of its information holdings and budget allocation”.

The agency had “partly implemented” processes which would lessen disruptions during and after cyber incidents, the report found, but it did not have a policy for logging events and did not document its analysis of all cybersecurity issues.

AUSTRAC also had not “detailed the responsibilities for its Chief Information Security Officer (CISO), its approach to continuous monitoring and improvement reporting, or defined timeframes for reporting to stakeholders”, the report said.

The Auditor-General’s nine recommendations for AUSTRAC included defining its CISO’s responsibilities and implementing a security maturity monitoring plan with continuous improvements and reporting to management. The audit called for AUSTRAC to “ensure regular risk reporting to its portfolio minister and the Department of Home Affairs”, and to implement processes for managing evidence from investigations.

It also called upon AUSTRAC to form an approach for limiting data spills, and to test its disaster recovery systems and backups.

AUSTRAC CEO Brendan Thomas wrote to the Auditor-General that the agency accepted its recommendations but maintained its “self-assessment that we are able to respond to cyber incidents as they occur”.

“AUSTRAC has delivered on our applied practice approach to effective management of cybersecurity incidents including prioritisation, record keeping, escalation, and seeking internal and external expertise to inform AUSTRAC’s effective cybersecurity incident response,” he said.

Thomas added that the recommendations from the audit would help AUSTRAC strengthen its cybersecurity “by documenting much of our existing approach and enhancing it where gaps have been identified”.

The Auditor-General’s report contained less detailed technical information than previous reports because cyber intelligence experts at the ASD had advised the ANAO that “adversaries use publicly available information about cyber vulnerabilities to more effectively target their malicious activities”.

The agencies said detailed technical information was therefore provided to the relevant authorities during the audit process, and not shared publicly.

Image credit: iStock.com/Kunakorn Rassadornyindee