CYBER INTELLIGENCE INSIGHTS

KEY INSIGHTS

• All state and territory government organisations face a real chance of suffering financial loss, business disruption, loss of data or reputational damage associated with cyber incidents in 2022.
• Many state and territory government organisations are not yet effectively managing cyber risk.
  • This makes them vulnerable to insider risk as well as to cyber criminals and nation-state actors, which CyberCX has observed actively targeting the sector.
  • States and territories are investing more in cyber resilience, but this is unlikely to materially improve their risk profile in 2022 since the threat environment continues to deteriorate.
• State and territory government organisations face a high likelihood of suffering a data breach.
  • The most common source of data breaches in government is accidental exposure caused by employees or contractors.
  • Foreign governments are actively targeting state and territory governments for intelligence collection and political interference.
• State and territory organisations continue to face a heightened risk of ransomware attacks and other forms of cyber extortion.
  • Government was Australia’s sixth-most targeted sector by cyber extortionists in 2021. In 2021, attacks were reported against Australian councils, political parties and state agencies involved in transportation, education and public health.
• Business Email Compromise (BEC) is the most likely form of cyber criminal attack for state and territory governments and could cause major financial loss.
• The likelihood that a cyber incident will affect operational technology (OT) in state and territory government networks is increasing.
  • An incident that affects OT could have serious physical consequences, including service disruption, environmental impact or loss of life.
• Phishing continues to be the most common method threat actors use to obtain initial network access.
  There is a critical need for state and territory governments to roll out cyber security awareness and training programs for employees.

SPOTLIGHT ON: Significant gaps in management of state and territory government cyber risk

Many government organisations are not yet effectively managing cyber security, making them vulnerable to a broad range of cyber security threats.

State and territory governments are responsible for a wide range of frontline service-delivery functions, from transport to education and health. As a result, they need to manage a wide variety of agencies with inconsistent, varying levels of security controls, which creates many opportunities for cyber intrusion. In 2020 and 2021, audits of state governments across Australia found that most agencies are not managing cyber security risk effectively.

Significant governance, capability and funding gaps common to most Australian state and territory governments include:

1. Business continuity planning: Business continuity plans and disaster recovery plans do not reflect the current, rapidly changing threat environment.
2. Skills shortage: Organisations struggle to attract and maintain enough employees with security skills to match their needs.
3. Executive buy-in: Cyber security issues are under-emphasised in resilience planning and receive limited board-level support.

States and territories are investing more in cyber resilience, but this is unlikely to materially change their threat profile in the short term.

We assess this boost in investment will likely not lead to a material change in cyber risk over 2022, given the relatively low cyber maturity of the sector, ongoing skills shortage in the domestic cyber security industry, and continued deterioration in the threat environment.

KEY INCIDENTS – 2021 state and territory governments select cyber incidents

1. https://www.abc.net.au/news/2021-03-17/wa-parliament-targeted-cyber-attack/13253926