ANAO Report finds Cybersecurity shortcomings

Neither AUSTRAC or Services Australia is well placed to ensure business continuity or disaster recovery in the event of a significant or reportable cyber security incident, according to a new report by the Australian National Audit Office (ANAO).

The audit came after a report from the Australian Signals Directorate (ASD), 2023 Cyber Security Posture Report, found low levels of cyber “maturity” across government entities. Previous audits had also revealed low levels of cyber resilience.

Financial crime watchdog AUSTRAC and Services Australia were selected by the ANAO to provide results from a medium and extra-large agency plus two that that hold financial intelligence information and health and welfare information of Australians.

“Australian Government entities are expected to be ‘cyber exemplars’, as they receive, process and store some of Australia’s most sensitive data to support the delivery of essential public services,” the report said.

However, in 2022–23, approximately 31 per cent of cyber security incidents reported to the Australian Signals Directorate (ASD) were from non-corporate Commonwealth entities.

Over 40 per cent of these cyber security incidents were coordinated, low-level malicious cyberattacks directed specifically at the Australian Government, government shared services, or regulated critical infrastructure. 

Ransomware was the most destructive cybercrime threat in 2022–23 and continues to pose considerable risk to Australian Government entities, businesses and individuals.

The ANAO survey found AUSTRAC has established management structures and responsibilities for managing cyber security incidents. However, it has not documented the assigned responsibilities for its CISO although the CISO is empowered to make decisions.

“AUSTRAC has documented a framework of procedures for cyber security risk and incident management. However, it does not detail a process for reviewing, updating and testing its cyber security incident management procedures, nor has it implemented a security maturity monitoring plan that details an approach that defines a continuous improvement cycle as well as reporting to management.”

“AUSTRAC has documented cyber security incident monitoring and response procedures. It has not developed an event log policy for handling and containing malicious code infections or intrusions, or containment actions in the event of a data spill.”

The ANAO found that Services Australia is only “partly effective” in its design of cyber security incident management and incident response procedures for investigating and responding to cyber security incidents. 

The full report is available HERE.