Story image

NSW Auditor-General uncovers State's inconsistent approach to cybersecurity

13 Mar 18

The Auditor-General of New South Wales is concerned that the state’s public sector is falling behind in its ability to effectively detect and respond to cybersecurity incidents, stating there is no-whole-of-government capability to do so.

Earlier this month the NSW Auditor-General Margaret Crawford released a report titled Detecting and Responding to Cyber Security Incidents.

In the report, the shambolic and inconsistent policies across several government agencies became clear. She notes that there is limited information sharing about incidents between agencies. Some of those agencies have poor detection and response practices and procedures.

She also says that cybersecurity incidents can harm the government’s service delivery in a number of ways, including the theft of personal information, denial of access to critical technology, or hijacking systems for profit or malicious intent.

The NSW Government appointed its first Government Chief Information Security Officer (GCISO) Dr Maria Milosavljevic in March 2017 – but it seems she still has her work cut out for her.

The NSW Government also adheres to its own Digital Information Security Policy as part of its ICT Strategy. The Policy outlines requirements for agencies including breach reporting and information sharing.

“I am concerned that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage will be lost,” comments Crawford.

She believes that New South Wales’ public sector’s ability needs to improve significantly and quickly in order to properly protect and respond to incidents.

“The NSW Government needs to establish a clear whole-of-government responsibility for cybersecurity that is appropriately resourced to ensure agencies report incidents, information on threats is shared and the public sector responds in a coordinated way,” Crawford continues.

Her report found that while most agencies involved in the case study have incident response procedures, some aren’t clear about who to notify and when. Some agencies have no response procedures at all.

IT service providers are not obliged to report incidents to agencies – only two in the study had contractual arrangements that obliged providers to report incidents in a timely manner.

The report also states that there is limited evidence of the nature of cybersecurity training provided to staff; two agencies did not report incidents to the Department of Finance, Services and Innovation (DFSI) even though they are required to do so.

The DFSI itself does not have a clear mandate or capability to manage effective detection and response in the NSW public sector.

Macquarie Government managing director Aidan Tudehope says the report’s findings are ‘sobering’.

“Sadly, this report, while deeply disturbing, is not a surprise. Governments everywhere are struggling to come to terms with the huge, ever-changing and growing task of dealing with cybersecurity risks and attacks,” he explains.

“NSW Government should be commended for putting a spotlight on these problems and for taking a step toward addressing them by appointing a Chief Information Security Officer for the state.”

He notes that a positive aspect of the report was that it benchmarked the performance of NSW agencies it examined against standards for control of cybersecurity developed by the Australian Signals Directorate, the Information Security Manual (ISM).

“The NSW Government is actually arguably ahead of the curve because it has at least systematically tried to investigate and report on the depth of its problems,” Tudehope concludes.

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.