A report into how the NSW government responds to cybersecurity incidents by state’s Auditor-General Margaret Crawford found there is no whole-of-government incident detection capability in place.
The performance audit said agency incident detection and responses approaches ranged from good to poor, and that there was very limited sharing of information on incidents between agencies.
The report said there was a high risk that incidents could go undetected for longer than they should, and the opportunity to contain and restrict the damage could be lost.
Cyber incidents could also harm government service delivery and include the theft of personal information or even hijacking of systems for profit or other malicious intent, the report said.
At the same time, the audit found most IT service providers are not contractually obliged to report cyber incidents to agencies.
Ms Crawford said given current weaknesses of the NSW public sector’s ability to detect and respond to incidents, significant improvements needed to be made quickly.
“The NSW Government needs to establish a clear whole-of-government responsibility for cyber security that is appropriately resourced to ensure agencies report incidents, information on threats is shared and the public sector responds in a coordinated way,” she said.
The report has made seven recommendations that it says the Department of Finance needs make as a “matter of priority”.
This includes developing whole of government procedures, protocol and supporting systems to ensure all threats are reported and responded to; and providing guidelines, training and awareness programs to assist agencies to improve their detection and response to cybersecurity incidents.
The audit has also recommended a revision of the Digital Information Security Policy and Event Reporting Protocol is also needed, as is the need to develop an online portal for agencies to report incidents in a more effective manner.
Other recommendations include enhancing the NSW public sector threat intelligence gathering and sharing; directing agencies to include clauses that requires IT service providers to report all cyber security incidents; and provide agencies with appropriate incident reporting procedures.
Finance Minister Victor Dominello acknowledged that more work is needed to protect the government’s systems and that the department will work to implement the recommendations that have been made by the Auditor-General.
“The Government welcomes the Auditor-General’s report – detecting and responding to cyber security incidents in the NSW public sector. We take the report’s findings very seriously and will endeavour to implement its recommendations,” he said.
“We acknowledge that more must be done to protect our systems and ensure they are resilient and fit-for-purpose in the digital age.”
Mr Dominello said the department had already started to address the issues outlined in the audit, pointing to the appointment of Maria Milosavljevic as government CISO last March as an example.
Ms Milosavljevic is responsible for overseeing the cybersecurity capability improvement across the public sector. She is also working working with federal bodies including the Australian Cyber Security Centre to share information and best practice.
The NSW government is also injecting more funding to boost the state government’s cybersecurity capabilities, said Minister Dominello.
A $11.4 million agreement with Data61 to tackle the state top technology challenges, including cybersecurity was announced last year, while just last month, the NSW government said it was putting $2 million towards the NSW Cyber Security Network to bring scientists and engineers from seven of the state’s universities to research and develop solutions to tackle cyber attacks.