Despite a report damning Commonwealth government agencies with having poor cyber security awareness, the Federal government will not move to compel agencies to fix their online security culture.
A report by the National Security College at the Australian National University and sponsored by Macquarie Telecom has found that 41 per cent of respondents regard their senior executive team as having poor or limited knowledge of cyber security risk.
A scary 15 per cent of government agencies had no-one on board whose chief responsibility was information security while an equally scary seven per cent said cyber security was never discussed at board meetings.
One-fifth did not know if cyber security was ever discussed, and 29 per cent said it was rarely discussed.
Not one government agency reviews its cyber risk management weekly or monthly.
These findings come despite highly publicised cyber security problems at the Bureau of Meteorology and the Australian Bureau of Statistic’s Census night debacle.
It also come in the wake of the government’s own landmark $230 million Cyber Security Strategy launched with much fanfare by Prime Minister Malcolm Turnbull back in April – plus a recent government threat report on cyber exposure.
Assistant Minister on Cyber Security Dan Tehan, who was on hand to launch the report this week, described the findings as “confronting” and said he would write to all cabinet ministers to educate them on the need for much better cyber security awareness.
“As a result of the report I will be writing to every government minister, reinforcing the importance of cyber security and reinforcing the need for someone at the senior executive level to have direct and clear responsibility for cyber security,” he said.
Mr Tehan said his letter would also highlight the need for more regular reporting on cyber security, but he stopped short of compelling improvements in agency cyber security culture.
“I don’t think we need compulsion,” he said. “My view is for each department and agency to take responsibility for themselves, and the best way to do that is remind them to take this issue incredibly seriously.”
“What happened to the ABS should be a pretty good reminder to them of the need to make this mainstream.”
“My hope is a reminder will be enough,” he said.
Mr Tehan said there were procedural mechanisms in place to force a cyber security delinquent agency to mend its ways, if required. He said future reports would measure the progress (or lack of it) in agency cyber security awareness.
One of the National Security College report recommendations was that cyber risk management be ‘normalised’ as a core board responsibility in both business and government, on a par with financial risk management.
The report also highlighted major cyber security culture problems in medium sized businesses with just 58 per cent of respondents saying their board had sufficient understanding of cyber risk.
Only 46 per cent were aware of the Australian Cybercrime Online reporting Network while just 29 per cent said they would report an attack if they lost client data. Just 21 per cent cited their legal obligation as a reason to report an attack.
The government has its mandatory breach legislation currently moving through the parliament and Mr Tehan said he hoped the legislation would pass ‘sooner rather than later.’