A government audit has concluded that Australia Post is not adequately protecting itself from potential cybersecurity breaches and has an overall cyber risk “significantly above its defined tolerance level”.

The nationwide logistics giant was one of three government owned bodies whose cybersecurity capabilities were reviewed by the Australian National Audit Office (ANAO) as part of its regular cybersecurity audit program.

Defence organisation ASC Pty Ltd and the Reserve Bank of Australia (RBA) had effectively managed cybersecurity risks, the audit office found in a new report, but Australia Post was behind the curve and had not implemented key cybersecurity controls.

Those controls were long ago spelled out in the Australian Signals Directorate’s (ASD’s) Top Four Mitigation Strategies policy, which was more recently superseded by the ASD’s Essential Eight Maturity Model. Government agencies are also evaluated against the Information Security Model (ISM), a set of living documents managed by the Australian Cyber Security Centre (ACSC).

ANAO evaluated the organisations’ success in implementing 13 different behaviours and practices in areas including cyber security governance and risk management; roles and responsibilities; technical support; and monitoring compliance.

RBA had implemented all 13 of these, while ASC had introduced seven and Australia Post, eight – leading ANAO to flag “low ongoing levels of cyber resilience and weaknesses in the regulatory framework for ensuring compliance with mandatory cyber security strategies.”

Australia Post was well behind the RBA and ASC in implementing the Top 4 and Essential Eight models, having introduced just two of the Top Four practices – patching ICT applications and minimising privileged user access – and only one of the four non-mandatory controls of the Essential Eight, namely daily data backups.

The organisation “has not systematically managed cyber risks”, the report warned, with deficiencies including not assessing the effectiveness of controls applied outside its cybersecurity risk management framework.

Honeypots for citizen data

Lack of cybersecurity compliance has been a chronic problem in the Australian public service, with just 29 percent of audited entities found to be meeting mandatory government cybersecurity requirements since ISM was introduced in 2013-14.

This shortfall is problematic given the ongoing rise in cybercriminal activity and financial losses stemming from it.

Government agencies have long been targets for cybercriminals, who see them either as politically valuable targets or ‘honeypots’ loaded with sensitive – and valuable – personal information on large numbers of citizens.

The recent Verizon Data Breach Investigations Report analysed 23,399 cybersecurity incidents within public-sector organisations – including 330 that included confirmed data disclosure.

Cyber-espionage, the analysts concluded, is “rampant” in government organisations – having increased 168 percent over the previous year – and hostile foreign governments were fingered in 79 percent of outside attacks.

Agencies are being regularly targeted by many of the threats mitigated by the Australian government’s mandatory controls, including privilege misuse and vulnerabilities in web applications.

All were typically enabled after a human target succumbed to a phishing attack that led to the installation of a malware ‘back door’, command-and-control and keylogging software, which suggested that the agencies were being targeted for long-term identity theft and reuse.

Worse still, public-sector agencies were far worse at discovering they had been breached, with Verizon noting that breaches of public-sector bodies were 2.5 times more likely to remain undiscovered for years.

With ideal response times of under an hour, there is a long way to go before agencies can be deemed cybersecure.

“Having documented, understood, and tested incident response plans to the real thing will allow the containment process to begin during that first hour to limit the effectiveness and impact through quick identification,” Verizon’s researchers noted.

Raising the bar

The public sector isn’t the only industry working to tighten cybersecurity: new CPS234 requirements, imposed by APRA on 1 July, shift the onus for cybersecurity responsibility onto the boards of banks and other financial-services organisations.

And the Department of Defence recently issued $2.2m worth of contracts to bolster the Australian Army’s cybersecurity capabilities.

While the RBA and ASC had the highest and equal third-highest cyber resilience of 17 entities audited since 2013-14, ANAO’s negative findings are a warning shot across the bow of an organisation that has long managed personal information for everyday transactions like passport applications and bill payments.

Australia Post has also been at the epicentre of the government’s many efforts around portable digital identity credentials – making its cybersecurity compliance even more pressing.

The postal service's response to the audit noted that the organisation had been evaluated to be internally resilient – in that it can maintain the continuity of its operations – but conceded that “there is still work to be done to move towards, and maintain, a high level of external resilience.”

In line with ANAO’s recommendations, Australia Post agreed to undertake risk assessments for all critical assets and will immediately address any “identified extreme risks to those assets and supporting networks and databases.”

The program of work will be monitored through information-security risk management and compliance programs, and will be directly reported to senior management and the Australia Post board through its Audit & Risk Committee.