AusPost reported 300 cyber incidents this year, but nothing to cause major disruption

Australia Post has seen around 300 cyber incidents so far this year, but it said none were enough to cause the government-owned entity to suffer the same fate as the likes of Toll.

Addressing the Joint Committee on Public Accounts and Audit on Tuesday, Australia Post chief information security officer Glenn Stuttard said from January 1 to March 30, the organisation had no incidents that were considered to be of "extremely high" impact.

"But we did respond to over 300 individual cyber incidents that we see in our systems and most of those come from things like SMS phishing campaigns," he said. "Text messages that bad actors might send to you try and get you to click on a link and give up your credentials and similarly through email phishing campaigns, so we're dealing with these types of things on a daily basis, and defending those."

He said it was quite a substantial number and that the postal service didn't have any "high" or "extreme" impacts over that period of time.

Stuttard said Australia Post has not specifically seen any evidence in the past few years of state actors attempting to "hack" or "attack" its systems. But he did say there would be a substantial disruption to its functions should it fall victim to a serious attack.

"Obviously our obligation to deliver a letter service under our obligation would be one business interruption … we run one of the larger parcel logistics businesses in the country and so our ability to be able to function as our parcel business does, if we were impacted by an attack, that service may be impacted and degraded … similar to what you'd see with Toll," he said.

See also: Toll attacker made off with employee data and commercial agreements

Australia Post was appearing before the committee as part of its inquiry to consider the cyber resilience of government entities prioritising information security.

Specifically, the committee is examining two Auditor-General's reports: Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities and Implementation of the My Health Record System.

The first report followed the Australian National Audit Office's examination of Australia Post, Reserve Bank of Australia, and ASC Pty Ltd, an Australian government business involved with naval shipbuilding.

The audit labelled Australia Post as not effectively managing cybersecurity risks, with the report highlighting weaknesses in the postal service's implementation of its risk management framework.

Since the recommendations were made, Stuttard said Australia Post has taken a number of steps under a program of work which is due for completion by June 30.

He said it includes conducting maturity level assessments against the Essential Eight controls for mitigating cyber attacks, reconfirming its critical application list and control scope for assessment of business critical and security ranked critical applications, and conducting reviews internally.

"We're working very, very quickly to establish that baseline of controls against our critical applications, have the appropriate risks weighed, and have the appropriate actions taken where we're finding critical-high gaps," he said. "So that's the work that we've been doing off the back of the recommendation."

John Cox, Australia Post EGM of transformation and enablement, said that from a cultural perspective, staff have been undertaking formal online training, as well as participating in simulations to ensure frontline staff have "good cyber awareness".

"As with all organisations, Australia Post continues to monitor the fast-evolving cyber threat landscape … continually reviewing and adjusting our tools and our processes to ensure that we have that right strengths and protections in place to prevent those cyber attacks," Stuttard added.

"Some of those techniques include ensuring that we have the best of breed, next-generation tooling in place to limit risk and impact of cyber threats such as ransomware."

Stuttard said he was confident that the postal service has "good, broad coverage" in terms of its protective capability.

As a non-corporate government entity, Australia Post isn't required to adhere to the Information Security Manual or the Essential Eight, but it has chosen to voluntarily incorporate some aspects.

"It is clearly not something that we are required to do, however, we certainly see it as sound practice, and we take a commercial lens as a corporate entity that looks at the risks and assesses it based off our overall investment portfolio, and as a consequence, we've been gradually working through our cyber risks and building towards the Essential Eight," Cox explained.

"However, because of some of our business risks that don't require that, just because of the nature of them, we haven't applied that consistently everywhere, we've been quite targeted in applying it, but continuing to work towards it because it is a good standard."

MORE FROM THE POSTAL SERVICE

• AusPost touts 'business-led cybersecurity risk culture' ahead of committee probe
• Audit finds Australia Post not effectively managing cyber risks
• Australia Post a 'trusted' service provider for government identification
• Australia Post looks to peer endorsement for Digital ID
• Geoscience Australia embedding staff within Australia Post to learn its 'culture'
• Sorry we missed you: Australia Post pondering blood deliveries by drone
• Australia Post wants more of your data than it already has
• Australia Post details plan to use blockchain for voting