Government departments fail cyber resilience test


The Australian National Audit Office (ANAO) has assessed the cybersecurity credentials of several Federal Government agencies, with all but one department failing its review.

As part of the government agency’s fourth report on cyber resilience, the audit office assessed four federal departments, including the Department of the Treasury, the National Archives of Australia and Geoscience Australia, rating each agency’s compliance with Australian Signal Directorate’s (ASD) ‘Essential Eight’ cybersecurity guidelines.

These guidelines include mitigation strategies aimed at improving systems cyber resilience, including restricting administrative privileges, utilising multi-factor authentication, and patching operating systems.

ANAO’s ‘Top Four’ mandatory cyber mitigation strategies for government departments and agencies include application whitelisting, applying application and operating system patches, and effectively managing access provisions for privileged user accounts.

Of the three departments assessed by ANAO, only Treasury was compliant with the Top Four mitigation strategies and rated as “cyber resilient”.

While the National Archives were found to be non-compliant with the mitigation strategies, they nevertheless had sound ICT general controls, proving a level of cyber resilience without the essential internal resilience, the report stated. 

The harshest rebuke was left for Geoscience Australia, with the report finding it was “not compliant with the Top Four mitigation strategies and did not have sound ICT general controls”, leaving itself particularly vulnerable to cyber-attacks. 

“Until the National Archives and Geoscience Australia achieve compliance with the mandatory strategies, it is inappropriate to consider that a positive cyber resilience culture is in place,” the audit said.

Each of the surveyed departments has agreed to recommendations made by ANAO to improve respective department cyber resilience.