Media reports show an alarming trend of growing cyber security attacks and corporate espionage.

Cyber attackers are targeting government entities to compromise Australia’s economic interests and national security. In fact, ‘data fraud or threat’ and ‘cyber attacks’ are in the top five most likely global risks in terms of likelihood (alongside environmental risks).

Protecting important government information assets with secure systems is critical.

In our recent audit, Managing cyber security risks (Report 3: 2019–20), we identified that the three government entities we examined are not managing their cyber security risks as effectively as they could. Our cyber security consultants successfully compromised all three entities' information and communication technology (ICT) environments and gained access to their sensitive or non-public data, demonstrating gaps in the entities’ mitigation strategies.

Some learnings for all government entities

• Make sure your staff are aware of their responsibilities in managing cyber risks. In particular, we found poor password practices unnecessarily exposed the three entities to attack.
• Staff and third party providers can be the weak link in an entity’s line of defence against cyber attacks.
• Several issues can make it easier for cyber attackers to compromise an entities’ ICT environments and gain access to sensitive or non-public data. This includes:
  • poor physical security
  • poor password practices
  • known password breaches
  • multi-factor authentication not used on external-facing services or to authenticate sensitive internal servers
  • administrators using their accounts for business-as-usual activities
  • networks not being segmented, which allows attackers to move laterally across an entity’s network
  • outdated systems with known vulnerabilities (for example, Windows XP)
  • descriptive subdomains that indicate services the entity uses or an environment that is not well secured (like development and test environments)
  • insecure encryption channels for online applications.

In our report, we made 17 recommendations for all entities, covering:

• cyber security framework
• information classification
• identifying and assessing cyber security risks
• information asset management
• cyber security risk management strategies
• monitoring and logging.

We recognise that implementing effective controls for cyber security should be performed on a cost-benefit basis. Therefore, we recommend all entities firstly assess themselves against Recommendations 1–3. This will ensure, at a minimum, that they have a framework for managing cyber security risks, know what information assets they have, and know to what extent those information assets are exposed to cyber security risks.

Recommendations 1–3 from Managing cyber security risks (Report 3: 2019–20)

Cyber security framework

1. entities should develop a framework for managing cyber security risks consistent with the Information security policy (IS18:2018)

They should also have information security standards to ensure the framework is consistently applied throughout the entity at an operational level.

Our insight statement 1 in Chapter 2 of our report provides more guidance on this.

Information classification

2. entities should develop and implement policies and procedures to identify and classify information assets, so they can effectively manage all their information assets that are at risk. This should include policies and procedures for:

• identifying and maintaining an inventory of information assets
• classifying information assets as per the 2018 Queensland Government Information Security Classification Framework

Identifying and assessing cyber security risks

3. entities should develop and implement a methodology for identifying and assessing cyber security risks to their information assets. This should include:

• developing a risk assessment process for cyber security that integrates with their enterprise risk management framework
• developing risk appetite statements for cyber security
• identifying and assessing cyber security risks to their key information assets

Our insight statement 3 in Chapter 2 in our report provides more guidance on this.

Other useful resources

Other useful resources include the Queensland Government's Information security policy (IS18:2018) and the Australian Cyber Security Centre’s ‘Essential Eight’ mitigation strategies to help organisations protect their systems against cyber threats.

IS18:2018 helps entities apply a consistent, risk-based approach to information security in order to safeguard the confidentiality, integrity and availability of the data and information they maintain.

The Australian Cyber Security Centre’s ‘Essential Eight’ helps organisations protect their systems against cyber threats.