National audit exposes cyber security failings among Govt entities


A new performance audit report from the Australian National Audit Office (ANAO) has highlighted key gaps in cyber security protocols used by the Australian Transaction Reports and Analysis Centre (AUSTRAC) and Services Australia to recover from a cyber incident.

While the report, titled Management of Cyber Security Incidents, admitted that the two non-corporate Commonwealth entities (NCEs) have implemented certain processes to manage cyber breaches “partly effectively”, it still concluded that neither organisation is “well placed to ensure business continuity or disaster recovery” after an incident.

The audit came after a report from the Australian Signals Directorate (ASD), 2023 Cyber Security Posture Report, found low levels of cyber “maturity” across entities, as well as 31 per cent of cyber security incidents that were reported to the ASD in 2022-23 were originated by government entities. Previous audits had also revealed low levels of cyber resilience.

“Australian Government entities are expected to be ‘cyber exemplars’, as they receive, process and store some of Australia’s most sensitive data to support the delivery of essential public services,” the report said.

“Low levels of cyber resilience continue to make entities susceptible to cyberattack and reduce business continuity and recovery prospects following a cyber security incident. An entity’s preparedness to respond to and recover from a cyberattack is a key part of cyber resilience.

“This audit was conducted to provide assurance to Parliament about the effectiveness of the selected entities’ implementation of arrangements for managing cyber security incidents.”

The report indicated that AUSTRAC had “partly effectively”:

  • introduced cyber security incident management processes for investigating, monitoring and responding to incidents
  • established management structures and a framework to support these processes
  • implemented a response process to lighten the impact of disruptions during and after cyber incidents; and
  • established a Security Information and Event Management (SIEM) solution to report incidents.

The report also showed that Services Australia had “partly effectively”:

  • designed cyber security incident management processes
  • established a framework for investigating incidents and a response plan
  • managed data spills, malicious code infections and external instructions
  • implemented a SIEM solution and a formal approach to monitoring and prioritisation of alerts
  • implemented a response process to lighten the impact of disruptions during and after cyber incidents; and
  • developed business continuity and disaster recovery plans and implemented regular backups.

However, both entities failed across several other areas:

  • documentation of threat and vulnerability assessments, as well as cyber security incidents; and
  • testing and security of backup and archived data in case of disaster recovery or incident escalation.

The audit made 19 recommendations, of which AUSTRAC agreed to nine and Services Australia agreed to 10, revolving around clarifying roles and responsibilities related to cyber security, implementing timeframes for investigations and updating its systems to respond more effectively to incidents.

“AUSTRAC welcomes the review and the opportunity to reflect on its processes and procedures for managing cybersecurity incidents,” AUSTRAC said in response to the report.

“AUSTRAC maintains that our processes to date have enabled effective management of cyber security incidents if and as they occur, involving prioritisation, escalation and seeking internal and external expertise to inform AUSTRAC’s effective cyber security incident response.

“AUSTRAC welcomes the ANAO’s recommendations, which will support AUSTRAC to strengthen our approach to cybersecurity incident management through greater clarity and certainty provided by documenting much of our existing approach and enhancing it where gaps have been identified.

“In response to the recommendations, AUSTRAC will update key incident response plans and documents, as well as develop testing schedules consistent with our risk profile and appetite and operational requirements.”

“Services Australia (the Agency) notes the audit findings and the recommendations for the Agency associated with improving the management of cyber security,” Services Australia said in response to the report.

“The Agency agrees with the recommendations, and will work towards further strengthening controls in the identified areas. The Agency takes its responsibility to safeguard the personal information and data of its customers very seriously, as well as the need to ensure continuity of the essential services and payments that the Agency provides.

“I consider that the implementation of the recommendations contained in the report will support the Agency in achieving those outcomes.”