Auditor-General slams Aus Post, lauds ASC over cyber resilience

Australia Post has been urged to uplift its cybersecurity posture after an audit by the Australian National Audit Office (ANAO) identified significant vulnerabilities within the postal service’s Corporate Data Warehouse and eParcel application systems.
 

By contrast, the ANAO commended ASC and the Reserve Bank of Australia (RBA) for their “effective” cyber risk management practices, having proactively implemented controls within their critical systems which fully align with the Australian Government Information Security Manual. The RBA also went a step further than the Manual's recommendations, deploying machine learning and analytics tools to spot cyber threats.

The audit served to benchmark security practices of Commonwealth entities, addressing looming concerns over low levels of cyber resilience, as well as a regulatory framework that had failed to uphold security compliance.

Covering only Australia Post, ASC and the RBA – selected due to the sensitive nature of the information they manage and their key roles around systems of national interest – the audit had a “fit for purpose cybersecurity risk management framework”.

Australia Post was singled out among the three surveyed organisations not only for failing to implement specified technology controls that comply with its own cyber risk framework, but also for only partially implementing controls that meet the Top Four and Essential Eight mitigation strategies established by the Australian Cyber Security Centre (ACSC); however, these baseline strategies, as yet, remain non-mandatory for state-owned entities.

One of the Top Four strategies not being effectively utilised by Aus Post was application whitelisting, intended to “block unauthorised applications from executing on its corporate desktop and server applications”, which the postal service deemed “not suitable” for operations within its two audited systems. However, ANAO’s testing revealed that the corporation’s alternative controls “did not provide sufficient coverage, protection or monitoring of security vulnerabilities”.

All in all, Australia Post was deemed “internally resilient” but not “cyber resilient” based on the national auditor’s grading scheme – akin to nine of 14 other Commonwealth entities examined over the past five years by the federal auditor, including the Australian Taxation Office, the Department of Foreign Affairs and Trade, the Australian Federal Police and the Department of Immigration, and Border Protection.

Despite its shortcomings, the ANAO found Australia Post was working to embed a culture of cyber resilience internally, where RBA’s was already strong and ASC’s developing, with the latter two corporations ranking first and equally third respectively in wholesale cyber resilience among 17 Commonwealth entities audited by the ANAO since 2014.

The postal service and the Reserve Bank were further acknowledged for adopting aspects of recognised international cybersecurity frameworks such as the National Institutes of Standards and Technology (NIST) Cybersecurity Framework and the ISO/IEC 27000 standards suite.

ASC, on the other hand, received praise for its positive cyber risk management approach and openness to improving cybersecurity practices.

Going forward, ANAO recommended that Australia Post conduct risk assessments for unassessed critical assets and immediately respond to significant risks uncovered, which the postal service has agreed to.

“Australia Post has clear oversight of its critical asset infrastructures and has prioritised actions under a program of work already underway to address this recommendation,” the corporation said in a statement.

ANAO also called on Commonwealth entities to leverage expertise across Australia’s public and private sectors, for assistance in improving cybersecurity defences.

The Auditor-General report, Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities, can be viewed here.