By Staff Writer
The Audit Office of New South Wales has found government agencies lack critical cyber maturity capabilities. Audit results released last week identified non-compliance and significant weaknesses against the government’s policy.
The audit examined compliance levels as of June 30, 2020. It focused on nine key agencies – Premier and Cabinet, Communities and Justice, Customer Service, Education, Planning, Industry and Environment, Regional NSW, Health, Treasury, and Transport for NSW.
The audit scrutinised compliance with the NSW Cyber Security Policy (CSP), a regime that requires NSW Government agencies to self-assess their cyber maturity and implement mandatory cyber risk mitigation strategies.
Of the 104 NSW government agencies, 99 agencies complied with the CSP in an “ad hoc manner” or not at all.
“The poor levels of cyber security maturity are a significant concern,” said NSW Auditor-General Margaret Crawford. The Auditor-General notes while some cyber maturity targets require investments of resources and time, other targets merely require leadership and an in-house commitment to cyber resilience.
NSW government agencies are required to submit a cyber maturity report annually to Cyber Security NSW. Agencies must report on five cyber risk and mitigation factors, including assessing cybersecurity risks and whether they are continuously improving their cybersecurity governance and resilience.
Agencies assess their maturity on an ascending scale of one to five for all requirements. The audit found only five of the 104 government agencies assessed their CSP maturity at level three or above. However, the CSP does not specify a minimum level regarding agencies implementing any mandatory requirements or the Essential 8 strategies.
“Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied,” the audit reported.
Critically, eight of the nine key agencies had not implemented all the planning and governance mandatory requirements at maturity level three or higher. According to the auditor, this indicates the eight agencies core business operations are vulnerable to cyberattacks.
Further, the eight agencies are potentially failing to consider the possibility of high-level cyberattacks and are not ensuring ICT suppliers are managing their cyber risks appropriately.
“Planning and governance are foundational steps in establishing a cyber-resilient organisation,” the audit stated. “Failure to more fully implement these requirements can increase the risk that cyber security is not adequately considered in strategic planning and the management of third parties.”
Ms Crawford was also highly critical of the audited agencies requesting the agencies audit results not be tabled to the NSW Parliament. Even though the audit details cyber deficiencies from more than 15 months ago, the agencies argue identifying the specific cyber weaknesses at particular agencies may expose ongoing weaknesses to threat actors.
“Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards,” says the Auditor General after “reluctantly” agreeing to anonymise agency data.
“I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.”
You can read the full audit results here.
