sb-au logo
Story image

NSW Auditor-General uncovers State's inconsistent approach to cybersecurity

13 Mar 2018

The Auditor-General of New South Wales is concerned that the state’s public sector is falling behind in its ability to effectively detect and respond to cybersecurity incidents, stating there is no-whole-of-government capability to do so.

Earlier this month the NSW Auditor-General Margaret Crawford released a report titled Detecting and Responding to Cyber Security Incidents.

In the report, the shambolic and inconsistent policies across several government agencies became clear. She notes that there is limited information sharing about incidents between agencies. Some of those agencies have poor detection and response practices and procedures.

She also says that cybersecurity incidents can harm the government’s service delivery in a number of ways, including the theft of personal information, denial of access to critical technology, or hijacking systems for profit or malicious intent.

The NSW Government appointed its first Government Chief Information Security Officer (GCISO) Dr Maria Milosavljevic in March 2017 – but it seems she still has her work cut out for her.

The NSW Government also adheres to its own Digital Information Security Policy as part of its ICT Strategy. The Policy outlines requirements for agencies including breach reporting and information sharing.

“I am concerned that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage will be lost,” comments Crawford.

She believes that New South Wales’ public sector’s ability needs to improve significantly and quickly in order to properly protect and respond to incidents.

“The NSW Government needs to establish a clear whole-of-government responsibility for cybersecurity that is appropriately resourced to ensure agencies report incidents, information on threats is shared and the public sector responds in a coordinated way,” Crawford continues.

Her report found that while most agencies involved in the case study have incident response procedures, some aren’t clear about who to notify and when. Some agencies have no response procedures at all.

IT service providers are not obliged to report incidents to agencies – only two in the study had contractual arrangements that obliged providers to report incidents in a timely manner.

The report also states that there is limited evidence of the nature of cybersecurity training provided to staff; two agencies did not report incidents to the Department of Finance, Services and Innovation (DFSI) even though they are required to do so.

The DFSI itself does not have a clear mandate or capability to manage effective detection and response in the NSW public sector.

Macquarie Government managing director Aidan Tudehope says the report’s findings are ‘sobering’.

“Sadly, this report, while deeply disturbing, is not a surprise. Governments everywhere are struggling to come to terms with the huge, ever-changing and growing task of dealing with cybersecurity risks and attacks,” he explains.

“NSW Government should be commended for putting a spotlight on these problems and for taking a step toward addressing them by appointing a Chief Information Security Officer for the state.”

He notes that a positive aspect of the report was that it benchmarked the performance of NSW agencies it examined against standards for control of cybersecurity developed by the Australian Signals Directorate, the Information Security Manual (ISM).

“The NSW Government is actually arguably ahead of the curve because it has at least systematically tried to investigate and report on the depth of its problems,” Tudehope concludes.

Story image
Report: Rushing into cloud migration directly related to security issues
A new report from Radware highlights the impact of COVID-19 on organisations compelled to digitally transform in order to maintain business continuity. More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
How security awareness training can safeguard companies from cyber-attacks
Training goes a long way in embedding a culture of cybersecurity compliance within the company.More
Story image
Kaspersky finds red tape biggest barrier against cybersecurity initiatives
The most common obstacles that inhibit or delay the implementation of industrial cybersecurity projects include the inability to stop production (34%), and bureaucratic steps, such as a lengthy approval process (31%) and having too many decision-makers (23%). More
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Story image
Fujitsu recognised a leader in Australian cyber security
"The company is well positioned to serve new businesses in the managed security services market in Australia."More