The ACSC has recognised the vulnerabilities that agencies face during MoG changes and have issued a Guideline Paper to assist agencies protect themselves during those changes (see attached).
The Guide recognises that adversaries target organisations undergoing major organisational change because they know the disruption makes it easier for social engineering attacks. And this doesn't apply just to government agencies, the Guide is equally applicable to corporates, not for profits, and local councils who are merging.
Staff inside an organisation undergoing major organisational change will need to quickly form effective relationships with a new set of colleagues, often while operating with significant uncertainty and time pressures. And as usual, it’s the human factor that’s the weakest link, especially when targets and timelines need to be met.
For example, during major organisational change, staff may find they are under pressure to accept the validity of requests for data, payment, or access from people they don’t know, and cannot easily verify the identity and authority of that person, especially for agencies and organisations that span multiple offices (i.e. in a merged environment, you simply don't know everyone!)
While the ASCS sensibly suggests there should be “arrangements so that staff can readily verify the identity and authority of new colleagues” via introductions, org charts and trusted third parties for “ad hoc” verifications, staff need to stand their ground on information security. They should receive training and awareness reminders during MoG changes as part of an organisation's change management program.
Data migration and amalgamation are also key risks:
There's a lot for merging entities to consider when it comes to records management and information/cyber security. That's why they should be specific "projects" as part of an overall change management/MoG migration program.
What agencies should do
Centium can assist agencies in working through their mergers, amalgamations and migrations by conducting risk assessments and specifying appropriate controls. Now that agencies have merged, we can help by retrospectively assessing whether any exposures have been (unintentionally) created.
For example, we can:
For more information please refer to the ACSC - Mergers, Acquisitions and Machinery of Government Changes guide and contact us to find out how Centium can help you.