NSW Agencies Confront Indeterminate Timelines to Tackle Rising Cyber Threats
We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!
NSW Government Agencies Confront Growing Cyber Threats: No Established Timelines for Risk Reduction
Quick Summary
- NSW government agencies are having difficulty achieving cyber security standards without specified deadlines for mitigating increased risks.
- More than a dozen agencies have indefinite timelines to rectify their self-reported cyber weaknesses.
- A number of agencies do not have funding secured for cyber security projects, resulting in critical protection deficiencies.
- Management of privileged access remains a notable oversight across multiple agencies.
- Workers in positions with high risk often lack sufficient training in cyber security awareness.
- Plans for cyber security improvements are projected to extend into 2027 for certain agencies.
NSW Government Agencies in Danger
The most recent audit of NSW government agencies indicates significant deficiencies in cyber security safeguards, with many entities failing to establish explicit deadlines to tackle their rising cyber threats. In an environment where cyber attacks are become more advanced and frequent, over a dozen agencies maintain open-ended timeframes for addressing their self-evaluated heightened risk statuses, as reported by the state auditor.
This inaction is troubling, especially with the surge in cyber threats directed at both the public and private sectors in Australia. The report emphasizes the hurdles NSW agencies face in fulfilling their cyber security responsibilities, even after the launch of the NSW Cyber Security Policy in 2019.
NSW Cyber Security Policy: An Overview
The NSW Cyber Security Policy, which succeeded the prior Digital Information Security Policy in 2019, requires agency leaders to show how their organization has assessed and managed cyber risks on an annual basis. The policy aligns with international best practices, including the Essential Eight strategies formulated by the Australian Cyber Security Centre (ACSC). These strategies aim to shield organizations from cyber attacks; however, as of June 2023, no NSW agency had achieved the intended maturity level in applying these strategies.
Financial and Resource Limitations
A major challenge these agencies are encountering is the lack of funding. One large agency, employing over 20,000 individuals and providing essential public services, has a plan to enhance cyber security but does not have the requisite funding for implementation. The audit revealed that 17 agencies currently have cyber security remediation plans in place, but these are projected to be completed between December 2024 and June 2027.
Funding allocated for cyber security initiatives varies significantly, ranging from $250,000 to $47.3 million based on the size and complexity of the agency. This variation in funding is further complicated by the reality that some agencies have not allocated any resources toward cyber security enhancements or staff training.
Shortcomings in Privileged Access Management
A critical finding from the audit was the insufficient management of privileged access across several agencies. Privileged access pertains to user accounts endowed with elevated permissions, enabling access to sensitive information and critical systems. Inadequate management of these accounts could create major vulnerabilities, making agencies attractive targets for cybercriminals.
It is concerning that some agencies have not yet put in place effective privileged access management protocols, which are vital for mitigating both internal and external cyber threats. Poorly managed accounts can lead to unauthorized access, data breaches, and potentially severe disruptions to government operations.
Cyber Security Awareness Training: An Overlooked Necessity
The audit raised concerns about the lack of cyber security awareness training, particularly for employees in high-risk positions. Despite the vital importance of such training in preventing cyber incidents, several agencies have neglected to provide additional training for staff deemed at high risk for cyber attacks.
This oversight leaves significant segments of the public sector workforce exposed to phishing attempts, ransomware, and various cyber threats that leverage human error. As cyber attacks increasingly exploit individuals as gateways into larger systems, the necessity for regular and thorough training cannot be understated.
Essential Eight: Current Status of NSW Agencies
The Essential Eight framework, devised by the ACSC, comprises a set of foundational mitigation strategies aimed at safeguarding organizations from cyber threats. These strategies include application whitelisting, patching vulnerabilities, and employing multi-factor authentication, among others. However, none of the NSW government agencies assessed in the audit have achieved the targeted maturity level in executing the Essential Eight.
This trend is alarming, as the Essential Eight represents a minimum benchmark for cyber risk management. Incomplete adoption of these strategies leaves agencies susceptible to cyber attacks, leading to potentially substantial data breaches and service interruptions.
Conclusion
NSW government agencies are encountering serious cyber security challenges, with many failing to achieve the standards outlined by the state’s cyber security policy and the Essential Eight framework. Limited funding, weaknesses in privileged access management, and a lack of staff training are placing these agencies at risk from cyber assaults. With remediation plans extending into 2027, the timeframe for resolving these vulnerabilities remains ambiguous, intensifying concerns about the state’s readiness against escalating cyber threats.
Q: Why are NSW government agencies facing challenges with cyber security?
A: Various factors contribute to these challenges, including insufficient funding, inconsistent risk management approaches, and deficiencies in privileged access management. Additionally, many agencies have not provided adequate cyber security awareness training to their personnel, worsening the situation.
Q: What does the NSW Cyber Security Policy entail?
A: Instituted in 2019, the NSW Cyber Security Policy compels government agencies to conduct annual assessments and management of their cyber risks. It aligns with global best practices and incorporates measures such as the Essential Eight mitigation strategies devised by the Australian Cyber Security Centre.
Q: What are the Essential Eight strategies?
A: The Essential Eight comprises a collection of foundational strategies developed by the Australian Cyber Security Centre to support organizations in defending against cyber assaults. These include application whitelisting, patching software, and integrating multi-factor authentication, among others. Complete implementation of these strategies is regarded as a fundamental standard for cybersecurity protection.
Q: What is the estimated timeline for NSW agencies to address their cyber security challenges?
A: Remediation plans for most agencies are anticipated to be finalized between December 2024 and June 2027. However, due to the absence of definite deadlines for some agencies, compounded by funding challenges, the schedule for fully addressing these issues remains unpredictable.
Q: What vulnerabilities were identified in the audit?
A: The audit identified multiple vulnerabilities, including a lack of privileged access management procedures, insufficient funding for cyber security projects, and inadequate comprehensive training for high-risk personnel. These factors leave agencies at risk for potential cyber attacks.
Q: What is privileged access, and why does it matter?
A: Privileged access refers to user accounts that possess elevated permissions allowing access to sensitive information and systems. Proper management of these accounts is essential to avoid unauthorized access, data breaches, and other security incidents. The audit found that several NSW agencies had shortcomings in managing privileged accounts, posing notable risks.
Q: How much funding are NSW agencies allocating to cyber security?
A: Cyber security funding across NSW government agencies exhibits considerable variation, ranging from $250,000 to $47.3 million. This disparity means some agencies may lack the necessary resources to fully execute their cyber security remediation strategies.
