“The baseline adoption of the Essential Eight across the Australian Government still requires further improvement to meet the rapidly-evolving cyber security threat environment”.
The Commonwealth Cyber Security Posture in 2019 – Report to Parliament, March 2020
itNews recently reported that the Australian Signals Directorate’s (ASD) first cybersecurity posture report to Parliament this year highlights that more than 70% of government agencies are struggling to fully implement mandatory security controls.
The Federal Government has a list of eight essential strategies for baseline cyber security, of which the ASD’s top four mandatory mitigation strategies for Non-Corporate Commonwealth Entities (NCCEs) have been in place for the past seven years. The aim of these strategies is to avoid the majority of cyber threats.
The ASD report reveals that 73% of NCCE’s reported either “ad hoc” (13%) or “developing” (60%) levels of maturity in their 2018-19 protective security policy framework (PSPF) reporting. “Ad hoc” is the lowest score and indicates “partial or basic implementation and management” of the top four strategies. While a “developing” rating is better than “ad hoc”, it is still below the baseline maturity level for the relevant entities. Only 2% of NCCEs considered themselves “embedded” and “excelling at implementation of better practice guidance”.
The final PSPF report before the scheme changed in 2019 revealed that almost 40% of agencies had not fully-implemented the top four strategies. It also indicated that compliance with the top four had improved by only 3% between 2015-16 and 2017-18.
The report cites information from the Australian Cyber Security Centre’s cyber security survey, which shows that 50% of agencies had “progressed from partly to mostly aligned with the essential eight strategy on user application hardening” between 2018 and 2019.
More than 30% of agencies have also progressed from “partly” to “mostly aligned” with strategies around multi-factor authentication and configuring Microsoft Office macros. However, the ASD said that further improvement is required to mitigate risks from the rapidly evolving cyber threat environment. This includes 25 agencies that were assessed in the ASD’s uplift program in the wake of the state-sponsored cyber-attack against Parliament House.
The ASD concludes that “levels of cyber security maturity vary across the Australian Government. While the cyber security posture of Commonwealth entities continues to improve, entities remain vulnerable to cyber threats. Additional work is required for Commonwealth entities to reach a mature and resilient cyber security posture that meets the evolving threat environment”.
Agilient is one of Australia’s leading security consultancies, with extensive experience in assisting government agencies address complex, high-priority cyber challenges. Our IT security experts are readily available to assist you in implementing the Essential Eight mandatory cyber-risk mitigation strategies. Contact us today to discuss your organisation’s security requirements.