As technology opens doors for increased efficiency, connectivity and sharing, it opens our work and home to cyber risk.
Media reports show an alarming trend of growing cyber security attacks and corporate espionage.
Cyber attackers are targeting government entities to compromise Australia’s economic interests and national security. In fact, ‘data fraud or threat’ and ‘cyber attacks’ are in the top five most likely global risks in terms of likelihood (alongside environmental risks).
Protecting important government information assets with secure systems is critical.
In our recent audit, Managing cyber security risks (Report 3: 2019–20), we identified that the three government entities we examined are not managing their cyber security risks as effectively as they could. Our cyber security consultants successfully compromised all three entities' information and communication technology (ICT) environments and gained access to their sensitive or non-public data, demonstrating gaps in the entities’ mitigation strategies.
In our report, we made 17 recommendations for all entities, covering:
We recognise that implementing effective controls for cyber security should be performed on a cost-benefit basis. Therefore, we recommend all entities firstly assess themselves against Recommendations 1–3. This will ensure, at a minimum, that they have a framework for managing cyber security risks, know what information assets they have, and know to what extent those information assets are exposed to cyber security risks.
1. entities should develop a framework for managing cyber security risks consistent with the Information security policy (IS18:2018)
They should also have information security standards to ensure the framework is consistently applied throughout the entity at an operational level.
Our insight statement 1 in Chapter 2 of our report provides more guidance on this.
2. entities should develop and implement policies and procedures to identify and classify information assets, so they can effectively manage all their information assets that are at risk. This should include policies and procedures for:
3. entities should develop and implement a methodology for identifying and assessing cyber security risks to their information assets. This should include:
Our insight statement 3 in Chapter 2 in our report provides more guidance on this.
Other useful resources include the Queensland Government's Information security policy (IS18:2018) and the Australian Cyber Security Centre’s ‘Essential Eight’ mitigation strategies to help organisations protect their systems against cyber threats.
IS18:2018 helps entities apply a consistent, risk-based approach to information security in order to safeguard the confidentiality, integrity and availability of the data and information they maintain.
The Australian Cyber Security Centre’s ‘Essential Eight’ helps organisations protect their systems against cyber threats.