Reserve Bank stays cyber resilient through 'FedEx' days and cafe-like 'technology time'

The bank's assistant governor said the organisation is in a position where an understanding of cyber risks, and how best to respond, is 'part of its DNA'.

The Reserve Bank of Australia (RBA) was commended on Tuesday by the Joint Committee on Public Accounts and Audit for its ability to effectively manage cybersecurity risk by implementing mitigation strategies beyond the requirements of the Essential Eight.

Asked by the committee to detail its success in the cybersecurity space, RBA assistant governor of corporate services Susan Woods expanded on the arrangements the bank has in place, which included formal training and not so formal, team-bonding exercises.

"We have a multiplicity of tools we undertake very specific training within our security team but that tends to be more of a technical nature," she said.

"But more broadly with bank staff we do lots of different things. We have formal training that they would complete online, on a regular basis … we also run things like a 'technology time' which is a session that's held every couple of months.

"It's almost like a cafe arrangement where staff come along and they talk about their IT issues, security related and others. We use forums like that to educate people and train them."

Woods said the RBA also holds "FedEx days" for security specialists.

"We use many different tactics from formal training to email campaigns and events like our FedEx days to try and educate and make people more aware," she told the committee.

"We call them FedEx days because we take a particular security challenge and within a day they have to identify, design, and implement a solution to the challenge so they tend to be small problems but nevertheless, meaningful ones, and we get people talking and thinking about the problems that we might face from a cyber perspective, and how they could deal with those."

Woods said cyber resilience is treated as a key enterprise risk within the RBA and that it's a key responsibility of everyone, not just the CISO and the 30 staff that sit under the bank's IT security function.

"We do more than run antivirus software and put firewalls in our network, we take our security standards seriously … and we embed them into every aspect," Woods said.

The RBA was appearing before the committee as part of its inquiry to consider the cyber resilience of government entities prioritising information security.

Specifically, the committee is examining two Auditor-General's reports: Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities and Implementation of the My Health Record System.

The first report followed the Australian National Audit Office's (ANAO) examination of the RBA, as well as Australia Post and ASC Pty Ltd, an Australian government business involved with naval shipbuilding.

The audit labelled Australia Post as not effectively managing cybersecurity risks, with the report highlighting weaknesses in the postal service's implementation of its risk management framework.

See also: AusPost reported 300 cyber incidents this year, but nothing to cause major disruption

ANAO found that both the RBA and ASC effectively managed cybersecurity risks, and that both have implemented controls in line with the requirements of the Information Security Manual, including the Top Four and other mitigation strategies in the Essential Eight.

In calling the cybersecurity risk management frameworks in place at both ASC and the RBA fit for purpose, the report said the two organisations have met the requirements of their respective frameworks by implementing the specified IT controls that support desktop computers, IT servers, and systems.

The Reserve Bank and ASC are cyber resilient, ANAO said, with high levels of resilience compared to 15 other entities audited over the past five years. Specifically, the RBA has a strong cyber resilience culture.

On Tuesday, Woods said a strong cyber culture is fundamental to embedding effective cyber resilience.

"The way it works at the RBA is that we've got ourselves to a position where an understanding of cyber risks, and how you respond to those risks, is part of our DNA," she said.

"We talk about it regularly from the Governor and the Deputy Governor, all the way down through the organisation, so it's just part of the way we do business."

She said approaching cyber in such a way that people can understand results in them embedding the practices into their daily activities.

"It does become part of the DNA and my view is that it's fundamental to having an effective cyber resilience posture," she told the committee. "You can have all the standards in the world but if people don't live and breathe them and actually understand them and employ them in what they're doing every day, then they're really not worth anything."

In its probe, ANAO said RBA met the requirements for implementing IT controls contained in its cybersecurity risk management framework, and has gone further than required, implementing mitigation strategies beyond the requirements of the Essential Eight, such as using machine learning and analytics to detect cyber threats.

SEE ALSO