An Inquiry by the Commonwealth Parliament’s Joint Committee of Public Accounts and Audit (JCPAA) has reported concern over failure of many Australian agencies to comply with minimum cybersecurity standards.

The report notes “The Committee is concerned that in 2015–16 only 65 per cent of non-corporate Commonwealth entities reported compliance with the Top Four mitigation strategies.”

These ‘Top Four’ mitigation strategies, as laid out in the Australian Government’s Information Security Manual, produced by the Australian Signals Directorate (ASD), are: Application whitelisting; Patching applications; Patching operating systems; and minimising administrative privileges

In February 2017 the list was expanded to the Essential Eight with the addition of: Disable untrusted Microsoft Office macros; User application hardening (block web access to Flash, Java and ads); Multi-factor authentication and Daily backup of important data

The ASD sends an annual risk survey to all Government entities, however in recent years, only 30-40% of agencies have completed the non-mandatory survey. The Joint Committee recommended that this be made mandatory.

The parliamentary inquiry was formed following an Australian National Audit Office (ANAO) review in March of cybersecurity at the Australian Taxation Office (ATO), Department of Immigration and Border Protection (DIBP) and the Department of Human Services (DHS).

The ANAO gave a tick to the DHS but found the other two agencies “were not cyber resilient and needed to ‘improve their governance arrangements and prioritise cybersecurity’

Despite an Australian Government target for all agencies to be compliant by 30 June 2014, the JPAA report expresses concern that the ATO and DIBP are still not there yet and are thus “not cyber resilient”

“The Committee heard that the ATO expects to be fully compliant with the Top Four mitigation strategies by November 2017. DIBP, on the other hand, could not provide a date for when full compliance with all of the Top Four mitigation strategies would be achieved, despite previously advising the Committee that full compliance would be achieved by December 2016.”

“The Committee is concerned to hear from DIBP that it is only in its second year of implementing cybersecurity enhancement programs. The Committee notes that significant machinery of government changes—with the creation of Australian Border Force—contributed to the delay in achieving compliance, however considers that compliance may have been achieved sooner if investment in these programs were made earlier.

“The Committee considers that all non-corporate Commonwealth entities should become compliant with the Top Four mitigation strategies by 30 June 2018 and that the ATO and DIBP report back to the Committee on their progress in implementing the Top Four mitigation strategies.

“This year the ASD updated its cybersecurity strategies from the ‘Top Four’ to the ‘Essential Eight’ in response to the increasing threat of ransomware. The Committee notes that whilst the Government has not made the Essential Eight mandatory, the ASD considers them to be ‘baseline’ for all organisations. The Committee notes that the ATO and DIBP are preparing plans to implement the Essential Eight. The Committee recommends that the Government mandate the Essential Eight cyber security strategies for all Public Governance, Performance and Accountability Act 2013 entities by June 2018.”

The full report is available HERE