NSW public sector’s cyber security resilience needs ‘urgent attention’, audit office finds

By Shannon Jenkins

December 15, 2020

In a self-assessment, PM&C had reported that it had fully implemented all four of the strategies, but ANAO found it had only implemented three. (Image: Adobe/IRStone)

New South Wales auditor-general Margaret Crawford has urged state public sector agencies to improve their cyber security resilience — and fast.

The state government’s cyber security policy requires agencies to conduct a maturity self-assessment against the Australian Cyber Security Centre’s Essential Eight mitigation strategies, which is then handed to the agency head and Cyber Security NSW annually. The self-assessments are unaudited.

In a report released last week, Crawford noted that the 103 self-assessments have shown “limited progress” in implementing the Essential Eight, leaving the public sector’s cyber security resilience in need of “urgent attention”.

“Cyber Security NSW and NSW government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency,” Crawford recommended.

The state audit office made the same recommendation in 2019.

Read more: NSW government to ‘quadruple’ size of cyber security workforce

The ACSC has identified three levels of maturity for organisations to use when assessing the maturity of their Essential Eight implementation, while the NSW government has added an additional level — zero — to describe levels lower than maturity level one.

According to Crawford’s report, 72 of 103 self-assessments reported maturity level zero for the strategy of application whitelisting, while just four reported maturity level three. For the strategy of multi-factor authentication, only six assessments reported maturity level three, with 46 reporting maturity level one.

The strategy which agencies have implemented best is daily back ups, with the majority of assessments reporting maturity level two or three, and only six reporting level zero. However, that’s not good enough, according to the audit office.

“The NSW Public Sector’s cyber security resilience needs to improve,” the report said.

Crawford noted a compliance audit on cyber security has been scheduled for 2020–21, which will examine whether agencies are complying with the cyber policy.

The state government announced it would commit $240 million to uplift agency cyber security capability in June.

The NSW Audit Office’s findings were released around the same time that a parliamentary report recommended the Australian National Audit Office conduct an annual limited assurance review into the cyber resilience of commonwealth entities.

Read more: Parliamentary committee recommends stronger oversight to increase commonwealth’s cyber resilience


About the author
Inline Feedbacks
View all comments
The Mandarin Premium

Insights & analysis that matter to you

Subscribe for only $5 a week


Get Premium Today