Australia Post has failed to effectively manage cyber risks, has not carried out risk assessments on all its critical assets and is not cyber-resilient, the national audit office has found.

The report says Australia Post, which has a network of more than 4000 post offices and supports its operations with more that 1,500 applications, does have an appropriate risk management framework.

However, it’s failed to follow or implement those safeguards.

A government owned business, Australia Post provides retail services, mail and parcel delivery and shipment, domestic and international transaction and payment services and identity verification for passports, licences and proof of age cards. It also handles data management and logistics services for business and government.

Despite this it has failed to implement risk mitigation controls in line with the government’s Information Security Manual, and is still in the process of “embedding a culture of cyber resilience”, the Australian National Audit Office says in a report handed to parliament on July 4.

The report says Australia Post has also not done risk assessments for all its critical assets, “which has limited its visibility of threats and current controls for those assets”.

“Australia Post has not effectively managed cyber security risks, and should continue to implement its cyber security improvement program and key controls across all its critical assets to enable cyber risks to be within its tolerance level,” the report concludes.

Auditor General Grant Hehir recommended that Australia Post conduct risk assessments for its critical assets and takes immediate action to address risk to its assets and supporting networks and data bases.

Work to be done: Australia Post

Australia Post said it was committed to upholding the security of its assets and information but acknowledged work need to be done, and it would carry out risk assessments in line with the recommendation.

“Australia Post has clear oversight of its critical asset infrastructures and has prioritised actions under a program of work already underway to address this recommendation,” it said.

It noted that it had been assessed as “internally cyber resilient” by the ANAO. However while this means there is an adequate level of protection from breaches within the organisation it remains vulnerable to “intrusion” from external sources.

Tick of approval for Reserve Bank, ASC

The Reserve Bank and the ASC meanwhile both received a tick of approval for effectively managing their cyber security risks.

Respectively, they had the highest and equal third highest level of cyber resilience of 17 entities to come under the ANAO’s radar in the past five years.

The ANAO focused on Australia Post, the Reserve Bank and ASC (formerly Australian Submarine Corporation) in its Investigation into the Cyber Resilience of Government  Business Enterprises and Corporate Commonwealth Entities.

The auditor said while there had been low levels of cyber resilience and regulatory weaknesses in non-corporate Commonwealth entities, all three entities in the current review “have a fit for purpose cyber security risk management framework”.

ASC and the Reserve Bank had met the requirements of their frameworks by implementing the right ICT controls to support desktop computers, ICT servers and systems.

Australia Post has not met the requirements of its own risk management framework, having not implemented all specified controls.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter.