As cyber attacks continue, cyber risk has become one of the top enterprise-wide risks facing entities. Entities need to remain vigilant and governance committees need to ensure they understand the impact of cyber risk on business strategy.

Entities and governance committees should consider cyber threats as part of their risk management and governance framework, with risk registers reflecting the potential risk of cyber attacks on key assets and business processes.

Entities that operate critical infrastructure—such as rail, ports, water, and electricity networks—should check and re‑check their security arrangements. QAO’s performance audit Traffic management systems (Report 5: 2013–14) identified that the systems managing traffic-critical infrastructure in Brisbane’s metropolitan area were demonstrably not as secure as they should have been, and were susceptible to targeted attacks. Our ability to successfully penetrate some components of the systems meant that the risk of unauthorised access was unacceptably high at that time.

A recent Australian National Audit Office report, Cyber Security Strategies of Non-Corporate Commonwealth Entities (Report No. 32 2020–21), noted that government departments and agencies reported 436 cyber security incidents to the Australian Signals Directorate in 2019–20. The most common type reported was ‘malicious email’/phishing as a means of obtaining initial access into a network. This was followed by ‘compromised systems’, where unauthorised access had been gained to a network, account and database.

Furthermore, recent articles from the Australian Financial Review (April 2021) identified that:

• cyber attacks on computer systems disrupted more than half of Australian businesses in the past 12 months, and they lost, on average, four days of productivity in attempts to get back online
• more than half of businesses hit by ransomware cyber attacks paid their attackers, but a quarter of those did not get their data returned
• 95 per cent of chief executive officers cited cyber risks as the top threat to business growth this year.

Governance committees have an important role in ensuring that their entities have appropriate cyber security defences. They should lead governance and policy to strengthen cyber resilience.

Cyber awareness should become an agenda item for governance committees, not just the chief information officer, with the ultimate goal of integrating cyber risk discussion into the discussion of overall operational risk.

The following table provides entities and governance committees with questions to consider in managing cyber security risks.

We encourage entities and governance committees to undertake a self-assessment of their risk assessment processes and governance arrangements to ensure they have the right control environment and culture regarding cyber security risks.

Further references

• Managing cyber security risks (Report 3: 2019–20)
• Traffic management systems (Report 5: 2013–14)
• Security of critical water infrastructure (Report 19: 2016–17)
• Information security policy (IS18:2018)
• 2018 Queensland Government Information security classification framework
• Australian Cyber Security Centre, Australian Signals Directorate