Commonwealth entities reported 427 cybersecurity incidents last year requiring intervention from the country’s chief cyber defence agency, the Australian Cyber Security Centre (ACSC).

The figures were revealed in the recently released Commonwealth Cyber Security report commissioned by the Australian Signals Directorate (ASD), the ACSC’s parent agency, which tracked cyber incidents impacting public agencies across 2019.

Two-thirds of incidents were self-reported to the centre, with the remaining one-third identified through the Centre’s investigations and reporting from international partners or third parties.

The most common incidents, sighting reports and ‘indications of compromise’, accounted for 36 per cent of cyber reports. This was followed by malicious emails (18 per cent); data exposure, theft, or leak (14 per cent); network scanning or brute force attacks (14 per cent); compromised systems (8 per cent); and denial of service (DoS) attacks (3 per cent), with remaining incidents classed as “other”.

Speaking with FST Government in response to the report, an ASD spokesperson acknowledged inherent vulnerabilities in governments’ and big businesses’ security architectures (including critical infrastructure sectors like banking and finance) in the face of ever-evolving cyber threats.

She said government and industry had become increasingly reliant on a hotchpotch network of suppliers and third parties, leaving inconsistencies in ICT architectures.

“This can lead to challenges in maintaining best-practice cybersecurity standards across the board”, the spokesperson said.

She urged larger organisations to actively manage their cybersecurity risks across their entire supply chain, not just within their core networks.

“We must continue to develop and improve our approach to safeguard Australia’s security and prosperity, and ensure Australia is the safest place to connect online.”

The ASD report warned that threat actors have been increasingly targeting defence and research agencies, with intellectual property as well as citizen and public agency staff data coming under direct threat.

The report drew on anonymised data to assess agencies’ cyber preparedness, as well as instances of cyberattacks relayed to the ACSC, among other lead cyber defence agencies. Some classified and open-source material was also analysed. It noted a significant improvement by public agencies in the collection and delivery of data on cyber incidents between 2018 and 2019.

“In 2018, most respondents to the ACSC Cyber Security Survey were unable to provide data on cybersecurity events or incidents observed in their entity’s environment,” the report said.

“In 2019, the majority of respondents reported experiencing hundreds of cybersecurity events or incidents per day, with only 10 per cent unable to provide data.”

The data did, however, identify inconsistent levels of cybersecurity maturity across Federal Government, leaving certain agencies exposed to greater levels of cyber risk.

“While the cybersecurity posture of Commonwealth entities continues to improve, entities remain vulnerable to cyber threats. Additional work is required for Commonwealth entities to reach a mature and resilient cybersecurity posture that meets the evolving threat environment.”

The report observed that a “Cyber Uplift” program has made improvements to the security of all Commonwealth entities, but the end result was still left wanting when compared against the Essential Eight criteria.

Prior to the uplift, a number of agencies had inadequate visibility of systems and data holdings, the report said, with obsolete and unsupported operating systems and applications, and a clear need to upgrade hardware to more easily implement security controls.

There was also an apparent misunderstanding and inconsistencies in applying the Essential Eight principles, as well as ineffective risk management practices identified.

Tackling cyberattacks

As a deterrent, Commonwealth entities are advised to implement the Australian Cyber Security Centre’s Essential Eight strategies as a baseline to protect computer systems, networks, databases, and websites. These cyber-defence recommendations include application control to prevent the execution of unapproved or malicious programs.

Other steps incorporate restricting administrative privileges to operating systems and applications based on user duties.

Regularly revalidating the need for privileges is recommended, together with ensuring that privileged accounts are not used for email or web browsing.