In October 2017, the Joint Committee of Public Accounts and Audit (JCPAA) published a report on cyber security compliance, where they recommended cyber best practices to be followed by federal agencies that would help prevent malware and improve cyber security. The JCPAA is a committee of the Australian Parliament, which makes recommendations to the government based on the results of audits.
In their report, the JCPAA recommends that the Australian Government should mandate the Australian Signals Directorate’s (ASD) Essential Eight cyber security strategies specifically for entities that are covered under the Public Governance, Performance, and Accountability Act 2013. Entities included are Parliamentary departments, departments of state, and qualifying corporate and non-corporate bodies, which depends on how they were formed under Australian law.
Cyber regulations currently include the ASD’s Top Four cyber mitigation strategies, which includes application whitelisting and patching of the operating system. However it is believed that only around 65% of non-corporate entities currently comply. Although the ASD recommended a total of 35 mitigations in 2010, the Top Four are believed to be enough to prevent 85% of attempted cyber events. The increase from Top Four to Essential Eight is believed to further decrease the risks of ransomware and other common malware or cyber attacks. The JCPAA recommends that compliance with the Essential Eight should be met no later than June 2018.
The audit of cyber regulations began after it was discovered that the Australian Taxation Office (ATO) and the Department of Immigration and Border Protection (DIBP) were both lacking on the cyber security front and were not protected against external threats. Seven federal agencies were audited and only one, the Department of Human Services, was found to have implemented application whitelisting appropriately.
If the Australian Government mandates the Essential Eight, cyber compliance will increase to include multi-factor authentication, daily backup of important data, user application hardening, and disable untrusted Microsoft Office macros. Both the Top Four and the Essential Eight include basic best practices that can increase an entity’s cyber security and make it harder to fall prey to more basic cyber attacks. Extending the mitigations not just to federal agencies but also to entities that work with the government is an important step in preserving the cyber safety of the country.