No one's doing Top 4
Alternatively: Everyone is saying they're doing it, most are lying
The Australian National Audit Office (ANAO) recently published a paper titled Cyber Security Strategies of Non-Corporate Commonwealth Entities, available at https://www.anao.gov.au/work/performance-audit/cyber-security-strategies-non-corporate-commonwealth-entities.
If you’re in Australian Infosec, you’d know:
- Top 4 compliance is a thing most places in FedGov are meant to be doing
- It’s been renamed to the essential eight
- Most places are “doing it”, but probably not really
To no ones surprise, it turns out that it is not actually done properly, and is often reported inaccurately.
The findings were pretty savage and don’t need much other than to be quoted:
None of the seven selected entities examined have fully implemented all the mandatory Top Four mitigation strategies
Food for thought.