Published on the 15/06/2022 | Written by Heather Wright
‘Essential Eight’ protocol soon mandatory, but agencies are well short…
The ‘Essential Eight’ cybersecurity mitigation strategies are proving problematic for many of Australia’s federal government agencies, just weeks out from becoming mandatory.
The Australian National Audit Office’s Interim Report on Key Financial Controls of Major Entities shows while there have been some improvements in maturity levels for the entities audited, maturity levels for most were still ‘significantly below’ existing requirements – let alone the full essential eight requirements – with just two achieving a maturity level.
“There is little evidence… that the regulatory framework had driven sufficient improvement in mitigating cyber security risks since 2013.”
The mitigation strategies form the ‘baseline’ of the Australian Cyber Security Centre’s Strategies to Mitigate Cyber Security Incidents.
The Protective Security Policy Framework (PSPF) cyber security requirements have been in place since 2013. Initially, the government mandated that companies adhere to four of the security controls – Policy 10 – included in the first objective and consider the remaining four voluntary controls. However, from July 2022, all 98 non-corporate government entities are required to comply with the entire framework.
The strategies cover application control, patching, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, MFA and regular backups.
But despite being ‘baseline’ cybersecurity requirements, ongoing ANAO performance audits since 2013 have flagged low levels of compliance with the mandatory requirements and concerns in annual self-assessments by entities.
“There is little evidence through the series of audits that the regulatory framework had driven sufficient improvement in entities mitigating their cyber security risks since 2013,” the ANAO report says.
The latest review focused on information relevant to the preparation of financial statements, specifically the financial management and HR systems for 19 entities. (The Australian Office of Financial Management was excluded as data was still being verified.)
But while the ANAO might have been looking specifically at the financial and HR systems, the agencies themselves apparently were not. Instead the report notes most conducted their self-assessment at a system or environment level and didn’t specifically assess the controls required to minimise cyber risks to financial or HR applications.
“Entities viewed the risk to financial information as equivalent to the risks to its overall environment.”
Those using SaaS were largely relying on system accreditation processes to assess vendor security controls.
The report shows agencies are still struggling to fully-implement the top four, let alone the essential eight, with two reporting lower maturity than they did last year, following ‘changes in the security environment’.
The Essential Eight:
Three reported improvements in essential eight maturity levels across several of the strategies, but the ANAO notes the number of entities reporting improvements hasn’t actually changed since the last assessment.
“These three entities had established regular maturity assessments of Essential Eight mitigation strategies and prioritised the implementation of PSPF Policy 10 requirements, including the implementation of other mitigation strategies.”
Proving particularly problematic is the requirement to patch applications – something only five organisations were managing to compliance levels – and for user application hardening controls, also achieved by just five.
“The number of applications in entities’ systems and identifying all applicable hardening controls for specific applications continues to be the key issues with implementing this mitigation strategy,” the ANAO says.
“Some entities have also stated that the ‘Patching Applications’ requirements are not achievable and have chosen to implement other mitigation strategies to address the related cyber threats.”
Patching operating systems, MFA and macro controls weren’t much better off, with just seven agencies achieving compliance across each.
The number of users relying heavily on macros to perform business activities was cited as a stumbling block for the requirement to restrict macros, while some also reported difficulties in monitoring the use of macros in their environments.
The report notes when it comes to MFA, most agencies have focused on achieving the ‘developing maturity level’, rather than managing maturity level which requires MFA to be used to authenticate all users accessing sensitive data, and are relying on other mitigation strategies to address risks.
Agencies were having more success with restricting administrative privileges – achieved by 12, though that’s the same figure as last year – daily backups (11, up from 10 last year) and application control (10, up four).
“Previous ANAO audits of entity compliance with PSPF cyber security requirements have not found a significant improvement over time,” the report notes starkly. “The work undertaken as part of this review indicates that this pattern continues, with limited improvements.
“While entities’ compliance with PSPF cyber security requirements remains low, there continues to be the risk of compromise to information relevant to the preparation of financial statements.”