Transport for NSW and Sydney Trains are failing to manage ‘significant’ cyber security risks despite more than $40 million worth of funding, the NSW Auditor General says.

Both have assessed their cyber security risks as unacceptably high and have plans in place to address them.

However, in a report released this week Margaret Crawford found a disconnect between having the risk mitigation plans and delivering on them.

She also said her audit uncovered “significant risks” that both agencies had failed to pick up.

The specific risks wouldn’t be disclosed for security reasons, she said.

Both agencies are falling short of standards set out by the NSW Cyber Security Policy (CSP) and have “low maturity” in relation to managing the vulnerabilities uncovered by the audit, the report says.

The CSP sets out 25 mandatory requirements for government agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies relating to malware, cyber attacks and misuse, and data recovery.

“Neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision making.”

NSW Auditor General Margaret Crawford

Only 7 per cent of staff at TfNSW had completed basic cyber security training.

“TfNSW and Sydney Trains’ risk identification processes are not identifying all potential risks,” Ms Crawford says.

“Not all the weaknesses identified in this audit – many of which are significant – had previously been identified by th agencies, indicating that cyber security risk identification is only partially effective.

“Neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision making.”

Failure to share information

The audit found the agencies are failing to share  information about cyber risks with executives, limiting the information available to make strategic security decisions.

It also found the agencies aren’t routinely auditing third party suppliers to make sure they’re complying with their contractual obligations.

The report makes a number of recommendations including urgently addressing the identified vulnerabilities, increasing cyber security training for staff, and re-prioritising Cyber Defence Portfolio spending under the $42 million Transport Cyber Defence Rolling Program.

The Department of Customer Service also has a role to play in clarifying CSP requirements and ensuring that all agencies report on where they stand in relation to each mandatory requirement, Ms Crawford says.

Improvement ongoing

TfNSW Secretary Rob Sharp said there had been a ‘measurable uplift’ in cyber security across the cluster in line with ‘unprecedented investment’ in the Cyber Defence Porfolio.

Mr Sharp said boosting cyber security was a key priority of TfNSW’s Future Transport 2056 https://future.transport.nsw.gov.au/ strategy.

“This report and its recommendations will serve as constructive input to underpin our ongoing efforts,” he said.

Department of Customer Service secretary Emma Hogan said the department endeavours to continually improve cyber security policy.

“The report is a timely reminder that  there is still much work to be done,” she said.

Details to remain secret

Ms Crawford said she agreed to requests from TfNSW and Sydney Trains not to reveal the specific nature of the weaknesses as they had not yet been addressed.

However, she said it was regrettable this had to occur.

“It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way,” she said.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter