Cyber security agency failing local government

The NSW government’s cyber security agency is falling short in its obligation to help councils deliver secure, trusted digital services, a report says.

NSW Auditor General Margaret Crawford.

The report by Auditor General Margaret Crawford released last week, assessed whether Cyber Security NSW is doing what it was set up to do and improving government cyber resilience, including at the local level.

Ms Crawford found when it came to local government, the agency’s role is unclear, it lacks a formal plan for dealing with the sector and has a poor understanding of the needs of councils.

Ms Crawford said uncertainty about where Cyber Security NSW stands in relation to local government, and the lack of an overall council stakeholder engagement plan, is limiting its effectiveness for councils.

“This is notwithstanding that councils may potentially face the same types of cyber security threats as NSW Government agencies, will often be less well equipped to manage these threats, and increasingly have digital systems that are interconnected with the other councils and the state government sector,” she said.

$60 million remit to support local government

Cyber Security NSW was established within the Department of Customer Service in 2019, succeeding the the office of the Government Chief Information Security Officer.

It was given a remit to assist local government in boosting cyber resilience via proactive monitoring and training as part of a $60 million funding injection in 2020.

Ms Crawford acknowledges that Cyber Security NSW has engaged with local government, but says this has had mixed results.

“While these mixed results are partly a consequence of it not being provided a formal mandate in the sector, it has also been impacted by the fact that Cyber Security NSW has not established an engagement plan or strategy to guide its engagement with the local government sector,” she says.

Councils vague about role

 She also found councils don’t properly understand what Cyber Security NSW is supposed to do, highlighting the need for a clear and accessible service catalogue.

“It is unclear whether the services available to councils are well targeted to raise their cyber security resilience, or whether councils have detailed awareness of existing services,” Ms Crawford says.

There was also no regular assessment of the needs of councils, so it was unclear whether needs are being met, Ms Crawford said, and Cyber Security NSW has no formal authority to mandate cyber security requirements on local councils.

Unmet demand for support

During the audit, councils provided a long list of unmet cyber needs, including incident management support, access to centralised procurement mechanisms and more proactive onboarding and induction of new CISOs/CIOS.

“This highlights that there is a pool of unmet demand among agencies and councils for services and functions that they believe would assist in uplifting their cyber maturity and improving their cyber resilience,” Ms Crawford said.

The Audit Office’s Report on Local Government 2019 found that 80 per of councils did not have a cyber security policy or framework. Fifty per cent of councils still did not have cyber security frameworks and related controls in place by June 2021.

Confusion and uncertainty about the role of Cyber Security NSW is likely to continue to be a significant barrier to increasing cyber resilience in local councils, Ms Crawford warns.

The report recommends that by June 30  the Department of Customer Service should ensure that Cyber Security NSW has a detailed catalogue of services available to councils, and that it develops a comprehensive engagement strategy and plan for the local government sector.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

One thought on “Cyber security agency failing local government

  1. Having dealt with the agency directly via local government since its inception, I 100% agree with the findings. They often over state the threats, incite fear in Council staff and fail to build capacity or provide meaningful solutions at a grass roots level. This is especially the case in relation to smaller organisations.

Leave a comment:

Your email address will not be published. All fields are required