Australia Post is not cyber resilient: audit

Australia Post is lacking in cyber resilience, and has not yet met the requirements of its own cybersecurity framework, an audit has found.

The audit into the management of cybersecurity risks of three corporate commonwealth entities — Australia Post, the Reserve Bank of Australia (RBA) and naval shipbuilder ASC Pty Ltd — was conducted by the Australian National Audit Office.

It found that the RBA and ASC have both effectively managed cyber risks. But despite spending the most on cybersecurity among the three entities, Australia Post is still deficient in this regard and is not cyber resilient.

As a result of the audit, Australia Post has agreed to conduct risk assessments for all its critical assets where it has not yet done so, and to take immediate action to address any identified extreme risks to those assets, as well as the organisation’s supporting networks and databases.

The purpose of the audit was to enable comparison between the cyber capabilities of corporate and non-corporate government entities to provide information to help improve the low levels of cyber resilience at non-corporate entities.

The three entities were selected based on the sensitivity of the private information they collect and store, including their role as managers of critical infrastructure or systems of national interest. The audit was performed on systems that were self-reported by the entities as critical.

The audit found that Australia Post spent $22 million on ICT security expenses, from total operating expenses of $6.57 billion. ASC had a cybersecurity budget of $1.9 million and operating expenses of $719.3 million, while RBA had ICT cybersecurity expenses of $7.1 million and operating expenses of $588 million.

Essential Eight

One metric used in the audit was the entities’ compliance with the Australian Signals Directorate’s Essential Eight threat mitigation strategies from the Information Security Manual.

While compliance with these strategies is only mandated for non-corporate government entities, it is strongly recommended for corporate entities, and all three audited companies have incorporated these strategies into their cybersecurity risk management frameworks.

Australia Post and RBA have gone beyond this to incorporate aspects of other national and international standards into their frameworks.

The audit found that while RBA and ASC have implemented controls in line with the requirements of all of the Essential Eight strategies, Australia Post has only implemented two of the Top Four strategies.

Specifically, Australia Post has implemented processes for regularly patching applications and minimising privileged user access, but was not adequately meeting the requirements regarding application whitelisting and patching operating systems.

But the audit found that ASC and RBA could stand to further strengthen controls for patching applications and operating systems.

Australia Post had likewise implemented only one of the four non-mandatory mitigation strategies — conducting daily backups. The agency is not yet actively implementing the requirements for multifactor authentication for all privileged users, user application hardening and configuring Office macro settings.

Risk management

The audit found that the three entities all have a cybersecurity risk management framework that is “fit for purpose”, incorporating both enterprise-wide risk management arrangements that incorporate cybersecurity, and specific frameworks for managing cybersecurity risks appropriate to their operations.

All three entities were found to have governance arrangements in place involving senior executives and board-level committees.

The three organisations were also assessed based on whether they have established six risk management and government arrangements for cybersecurity. These include the presence of enterprise-wide governance arrangements; whether information security roles have been assigned and responsibilities communicated; and whether ICT security is incorporated into strategy, planning and delivery of services.

The remaining criteria included whether ICT operational staff understand the vulnerabilities and cyber threats to the system; the presence of integrated architecture for data, systems and security controls; and whether agencies have implemented a systematic approach to managing cyber risk through methods including security awareness training.

RBA was found to have established arrangements across all six of these criteria. Australia Post was found to have fully implemented the first three but to have only partially established the remaining three, while ASC was found to have only fully implemented controls two through five.

But unlike the RBA and ASC, Australia Post was found not to have met the requirements for ICT controls specified in the entity’s own cybersecurity risk management framework. As a result, the audit states, Australia Post “has rated the overall cyber risk as significantly above its defined tolerance level”.

It notes that last year Australia Post established the Securing Tomorrow cybersecurity program, which aims to reduce cyber risks to within the organisation’s risk tolerance levels by 2020.

Cybersecurity resilience

The audit also examined whether the three entities are cyber resilient, and whether they have established a culture that encourages this. It found that both Reserve Bank and ASC are cyber resilient, with high levels of resilience compared to 15 other entities audited in recent years.

While Australia Post is not cyber resilient, it was found to be internally resilient, having an adequate level of protection from breaches and disclosures of information from internal sources. Where the entity is lacking is in external resilience, or vulnerablility to intrusions from external sources.

The three entities are meanwhile at different stages in fostering a cyber resilience culture. RBA was found to have a strong such culture, having established all of 13 assessed cybersecurity risk governance and risk management behaviours and practices.

ASC is developing such a culture, having established seven and working to fully establish the remaining six. But while Australia Post has established eight of the 13 practices, it was found not to have systematically managed cyber risks. The entity is nevertheless working to establish such a culture, the audit states.

The 13 behaviours and practices assessed in the audit can be grouped into four categories — governance and risk management capability, clearly defined roles and responsibilities, technical support capabilities, and monitoring compliance with cybersecurity requirements.

For example, all three entities were found to have implemented a cyber incident response plan, developed a compliance monitoring approach, embedded security awareness as part of their enterprise culture and assigned information security roles to relevant staff.

But only the RBA was found to have adopted a risk-based approach to prioritising improvements to cybersecurity based on higher vulnerabilities; developed an integrated architecture for data, systems and security controls; and identified security risks to their information and systems.

Both Australia Post and ASC have made at least some progress implementing all 13 of the controls, the audit found.

Image credit: ©Gstudio Group/Dollar Photo Club

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.