ACSC gives advice on cyber security during mergers, acquisitions and machinery of government changes

By Shannon Jenkins

Monday July 29, 2019

Businesses undergoing major organisational change are attractive targets for cyberattacks, according to the Australian Cyber Security Centre.

To combat this, ACSC has developed a guide for organisations to use during high-risk transformative times. For example, when data is being migrated from one system to another. 

Mergers, acquisitions or machinery of government (MoG) changes can bring disruption, making it easier for cybercriminals to scam staff and compromise systems with social engineering attacks such as Ransomware, business email compromise, payroll fraud and phishing campaigns, ACSC said.

“In short periods of time new relationships need to be established, new business processes need to be integrated and systems need to be stood up, merged, relocated and decommissioned as capabilities are moved and consolidated,” ACSC said.

“The reality is that organisations must be prepared, well before they announce they’re entering an acquisition or merger.”

The new publication provides information on what staff should be wary of, from scams to dodgy data requests.

ACSC said organisations should focus on the following areas:

  • Minimise the accumulation and compounding of your technical debt.
  • Ensure your data and systems are well integrated and properly patched, supported and monitored.
  • Understand the previous operating environment and security controls which protected your data and systems to ensure appropriate and ideally equivalent, or greater, protection is afforded in the new operating environment.

The Department of Home Affairs was criticised last year for more than a decade of poor record-keeping practices in the midst of several machinery-of-government changes and numerous senior executives.

READ MORE: Home Affairs still struggling with record-keeping after executive exodus

Auditor-general Grant Hehir reported that Home Affairs had, in 2014, initially explained the integration in great detail, but had failed to release a “benefits realisation plan” to ensure the integration was actually successful.

The department was also found to have made significantly less revenue than the merger anticipated.

The audit revealed how Home Affairs’ reform plans had changed considerably after the integration was announced, making it increasingly unclear what success looked like and how it could be measured.

Also last year, a submission to the Australian Public Service Review argued that MoG changes are “disruptive” and “undermine the capacity and capability of the APS to meet core responsibilities and deliver functions in an efficient and effective manner”.

The submission from a group of UNSW Canberra academics said public servants often struggle to effectively plan and implement change during the short time frame MoG changes often demand.

This is particularly true for those working in finance, IT and human resources, “as this is where personnel are combined and departmental differences in policies, processes, cultures, managerial approaches and so on are most stark”.

The ASCS suggested that during times of pressure, to minimise security risks organisations should:

  • Brief staff on human risks as soon as possible after major organisational change is announced. For public sector organisations, in line with the APSC’s MoG guide, this should be part of providing early advice and assistance to staff.
  • Remind all staff they should refuse requests for access, payment or data until they can verify the requestor’s identity and authority. Identity should preferably be established in person or via telephone using contact details known to be correct.
  • Put in place arrangements so that staff can readily verify the identity and authority of new colleagues and inform them of this mechanism in the initial brief (e.g. online organisation charts and valid email addresses). Staff should also be encouraged to use trusted third parties (e.g. a colleague they know who can verify another person) to help deal with ad hoc identification.
  • Organise introductions between new staff as quickly as possible to help everyone understand who they should expect to be dealing with.

About the author
Inline Feedbacks
View all comments