A report from the NSW Auditor General found that a third of NSW government agencies had no cyber attacks at all in 2016-17, a result described as farcical by industry observers.
The Report on Internal Controls and Governance from the Audit Office of NSW was quietly released just before Christmas and signed off by NSW Auditor-General Margaret Crawford. It looked at the 39 largest government agencies in NSW, which make up about 95 per cent of total expenditure for NSW public sector coffers.
These agencies were “considered to be a large enough group to identify common issues and insights,” the auditor said.
In the section on cyber security governance, the report said 64 per cent of NSW agencies reported cyberattacks during 2016–17. In total, these agencies reported 8,503 attacks, a massive increase over the 1,558 attacks reported for the year before.
In a case of either being world ‘s best cyber security, woeful cyber intrusion detection, or some strange and widely differing definitions of what constitutes a cyber-attack, 33 per cent of agencies said they had no attacks at all in 2016-17.
In another piece of statistical weirdness, two of the thirty-nine agencies confessed to a total of 7040 attacks between them.
“It’s just ridiculous,” said a respected industry observer, who chose to remain anonymous.
“There’s no way a third could have no attacks at all. Either they are not looking or they have their own unique definition of a cyber-attack that doesn’t include things like phishing.
“It’s not credible that there can be so few attacks, and it’s not credible a third of agencies can have zero attacks,” the industry source said.
In the report the auditor said agencies did have varying definitions of what constituted a cyber-attack and that therefore “the number and nature of cyber-attacks is not known.”
In 2015-16 21 per cent of agencies reported zero attacks and in 2014-15 38 per cent reported no attacks.
In the latest report, three per cent of agencies could not quantify the number of cyber-attacks that occurred. At least they were honest.
In other findings, the auditor said 85 per cent of agencies recognise cyber-attack risk as either ‘High’ or ‘Medium’, but in worrying news, five per cent of agencies said they did not consider that cyber-attacks pose a risk at all.
User access management was also a problem for NSW agencies, especially around financial administration systems. The report identified 54 user access control deficiencies.
“The deficiencies we found mainly relate to weak or missing controls in reviewing the access that staff have to their financial systems, and removing access once staff have left an organisation,” the auditor said.
While 95 per cent of agencies had formal policies for user access, only 82 per cent comply with their policies when granting, changing or removing user access, the auditor said.
Agencies that failed to comply with policies could be drifting into breaking NSW law as well as breaching international standards.
The auditor said section 11 of the Public Finance and Audit Act 1983 required agencies to have effective internal control systems.
“The ‘NSW Government Digital Information Security Policy’ mandates that agencies complete a self-attestation of compliance with the core requirements of the policy.
“This policy requires that agency information security management systems take account of the controls in ISO 27001 ‘Information technology – Security techniques – Information security management systems – Requirements’.
“This standard requires the regular review of users’ access rights, and the removal or adjustment of access rights upon termination of employment or transferral.
Insufficient user access controls pose a greater risk to agencies where they relate to privileged access,” the auditor said.