NSW govt agencies urged to lift cyber security compliance

NSW government agencies are being urged to prioritise their cyber security posture and resilience following a report from the Audit Office of NSW, which identified "insufficient progress to improve cyber security safeguards".

The report from the NSW Auditor General assessed nine agencies' compliance with the NSW Cyber Security Policy (CSP) to 30 June 2020, identifying "non-compliance and significant weaknesses against the government's policy".

"The poor levels of cyber security maturity are a significant concern," the report said. 

The NSW CSP, which is issued by Cyber Security NSW -- a business unit of the Department of Customer Service -- came into effect in February 2019 and applies to all 104 NSW government departments and public service agencies.

The agencies involved in this particular audit include the Department of Premier and Cabinet; Department of Communities and Justice; Department of Customer Service; Department of Education; Department of Planning, Industry and Environment; Department of Regional NSW; Ministry of Health; Treasury and Transport for NSW.

While not specifically digging deeply into each agency's cyber security failures for fear of exposing their "weaknesses to threat actors", the report still pointed out that each participating agency had implemented one or more of the mandatory requirements on an "adhoc or inconsistent basis".

The report found key elements to strengthen cyber security governance, controls and culture were not sufficiently robust nor consistently applied and that the CSP was not meeting its objectives to improve cyber security. 

This was because the CSP does not specify a minimum level for agencies to achieve in implementing the ‘mandatory requirements’, otherwise known as the 'Essential 8', as well as report target levels and risk acceptance decisions.

Additionally, none of the participating agencies implemented all of the Essential 8 controls to "at least level one" and there was no system or formal monitoring of the accuracy of agencies’ cyber self-assessment processes, particularly as agencies 'over-assessed' their cyber security maturity as they failed to back their self-assessments with actual evidence.

"There has been insufficient progress to improve safeguards across NSW government agencies," the report said. 

As a result, the report said agencies should "prioritise improvements to cyber security resilience as a matter of urgency" and should invest in technical 'uplift' to comply with some elements of government policy. 

In addition, agencies should also display a commitment to leadership and management to improve cyber literacy and culture.

The report follows other performance audits such as Managing cyber risks in July 2021, which found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks, and repeats recommendations made in the 2019 and 2020 Central Agencies report.

According to the Australian Cyber Security Centre (ACSC), government agencies have been increasingly targeted by cyber criminals. Service NSW has been particularly under threat as it suffered two major security incidents in March 2020.