Federal Budget funding should cover a range of measures including the true weakest links in an organisation – the people
The 2018-19 Federal Budget included $9m of funding for the Department of Parliamentary Services (DPS) to establish a cyber security operations centre for Parliament House. This is a welcomed investment noting that parliaments around the world have become a prime target of hackers in recent years. Last year, the UK parliament was hit by a “sustained and determined” cyber-attack, leaving around 90 parliamentarians unable to access their emails. The attackers sought access to the email accounts of MPs and their staff. Other large government organisations have also been recently attacked – for example the City of Atlanta last month succumbed to a ransomware attack causing massive disruption to city business. Imagine if something similar occurred during a sitting week in Federal Parliament!
The fact the Federal Budget announced the government is investing significantly in cyber security highlights the importance of cyber security on the government’s agenda. However, it’s critical this investment goes further than purchasing the right technology and provides cyber security education throughout the Department of Parliamentary Services.
History shows employees and third party providers create additional complexity for government organisations. Two recent data breaches in Australian government had nothing to do with a weak computer network, but rather human error. The recent hack of a third-party national security contractor, which resulted in sensitive government and military information data theft, and the loss of sensitive cabinet materials left in an office filing cabinet, which was sold at auction, are perfect examples of this.
Both of these issues stem from simple security mistakes, such as weak passwords and lack of awareness in protecting sensitive data, which leads to the unauthorised access of sensitive information. The key is to have more informed users, operating with a contemporary cyber-risk oriented mindset where being aware of, and acting accordingly around cyber threats such as phishing and social engineering is part of the organisational culture. This in turn is bolstered with good technology at many layers including the perimeter, gateway, application, and end point.
In order for the government to appropriately address these issues, Federal Budget funds should address more than just network protection.
According to the recent ACSC Threat Report, social engineering tactics have increased by over 230% since the previous year, costing Australian businesses over $20 million. As such, funding should go to ensuring employees are appropriately educated on keeping sensitive information protected, as well as how to identify and mitigate common social engineering tactics such as phishing, which accounts for most data breaches.
This will be critical as the government looks to develop a simpler and more efficient data sharing framework. It’s vital access is only given to non-sensitive files and connecting businesses to its data doesn’t open up pathways for attackers to gain access to other parts of the network.