Security organisations have observed a significant increase in attacks by criminal hackers who are attempting to take advantage of the extraordinar
As cyber attacks continue, cyber risk has become one of the top enterprise-wide risks facing entities. Entities need to remain vigilant and governance committees need to ensure they understand the impact of cyber risk on business strategy.
Entities and governance committees should consider cyber threats as part of their risk management and governance framework, with risk registers reflecting the potential risk of cyber attacks on key assets and business processes.
Entities that operate critical infrastructure—such as rail, ports, water, and electricity networks—should check and re‑check their security arrangements. QAO’s performance audit Traffic management systems (Report 5: 2013–14) identified that the systems managing traffic-critical infrastructure in Brisbane’s metropolitan area were demonstrably not as secure as they should have been, and were susceptible to targeted attacks. Our ability to successfully penetrate some components of the systems meant that the risk of unauthorised access was unacceptably high at that time.
A recent Australian National Audit Office report, Cyber Security Strategies of Non-Corporate Commonwealth Entities (Report No. 32 2020–21), noted that government departments and agencies reported 436 cyber security incidents to the Australian Signals Directorate in 2019–20. The most common type reported was ‘malicious email’/phishing as a means of obtaining initial access into a network. This was followed by ‘compromised systems’, where unauthorised access had been gained to a network, account and database.
Furthermore, recent articles from the Australian Financial Review (April 2021) identified that:
Governance committees have an important role in ensuring that their entities have appropriate cyber security defences. They should lead governance and policy to strengthen cyber resilience.
Cyber awareness should become an agenda item for governance committees, not just the chief information officer, with the ultimate goal of integrating cyber risk discussion into the discussion of overall operational risk.
The following table provides entities and governance committees with questions to consider in managing cyber security risks.
Questions to consider
We encourage entities and governance committees to undertake a self-assessment of their risk assessment processes and governance arrangements to ensure they have the right control environment and culture regarding cyber security risks.