NSW government agencies have minimum controls in place to protect against cyberattacks, says a report.
Analysing 2024 data reported to Cyber Security NSW – the state’s central body responsible for supporting governmental cyber-security initiatives – the Audit Office of New South Wales found that, across agencies, the biggest gaps in cyber resilience were found to be inadequate controls governing user access, authentication, and authorisation. The absence of these controls “increases the likelihood of a successful cyberattack”, says the report.
During 2024, a total of 152 “significant, high and extreme” cyber security risks were reported by 27 government agencies. Of the 152 risks reported, 28 had protections that “were either largely or completely ineffective”. In addition, 60 risks lacked specified timelines to reduce them to an acceptable level, says the report – Cyber security insights 2025.
Planned or ongoing cyber security programs and budget constraints were the most common reasons agencies provided for not meeting the minimum cyber security requirements, the Audit Office found.
The Audit Office also found that aggregated reporting and limited independent assurance processes mean “there is limited visibility of cyber security and a potential risk in reporting accuracy.”
Aggregated reporting to Cyber Security NSW reduces transparency of issues at individual agencies, says the report. “This is especially relevant when there are portfolios of agencies with mixed or unclear cyber security responsibilities.”
Regarding independent assurance, 59 per cent of reporting agencies said they did not have cyber security reviews conducted by an outside party. “The absence of independent assurance increases the risk of inaccurate data being reported to Cyber Security NSW,” says the report.
The Audit Office also found that compliance to the NSW Cyber Security Policy – mandatory requirements to which all agencies must adhere – goes unreported when work is performed by third parties. “Agencies and Cyber Security NSW may not be aware of any non-compliance against the policy where the cyber security control practice is provided by third parties,” says the report.
More work needed to achieve the minimum requirements set.
The Audit Office advises agencies to remain vigilant as the Australian Signals Directorate and Cyber Security NSW warn that the tactics of cyber actors are evolving, with the use of more advanced hacking tools such as AI.
Cyber Security NSW also emphasises that the risks associated with third–party systems have significantly increased in the NSW Government. The number of reported incidents involving third-party owned or managed systems has tripled in the last reporting year.
While agencies have responded to strategies created by Cyber Security NSW to strengthen cyber resilience across government, the report concludes “more work is needed to achieve the minimum requirements set and to manage the cyber risks faced by individual agencies.”
Leave a Reply