The NSW Auditor-General has called on the State Government to ramp up cyber security after she found most agencies had untested response procedures, poor reporting of incidents and questionable staff training.
While cyber security incidents can harm government service delivery, involve the theft of personal information or even the hijacking of systems for ransom, the state’s auditor-general Margaret Crawford found “there is no whole-of-government capability to detect and respond effectively to cyber security incidents.”
Given the weaknesses identified, the NSW public sector’s ability to detect and respond to incidents needs to improve “significantly and quickly,” Ms Crawford concluded in her report released on Friday.
Her audit, which focused on the Department of Finance, Services and Innovation (DFSI) that oversees reporting protocol and security policy as well as 10 agencies that handle various personal and finance data, found two agencies had good detection and response processes, four had low capability to detect and respond to incidents while four had medium capability.
Agencies without procedures
While most agencies had incident response procedures, some lacked guidance on who to notify and when, she found.
Some agencies did not have response procedures at all, which would limit their ability to minimise business damage caused by a cyber security incident.
Eight agencies had not tested their procedures, presenting a risk they may not work well during a real cyber incident.
Only two of the 10 agencies reported having contractual arrangements with their IT service providers that obliged the third parties to report incidents in a timely manner.
“Agencies without such arrangements have little assurance that they are advised of all significant incidents in a timely way. Where agencies are not informed of an incident, they cannot act to contain the incident and limit damage to themselves and their stakeholders,” Ms Crawford said.
Gaps in staff training
Given cyber security incidents can start as simply as an individual opening a fraudulent website, staff awareness and training were key to reducing risk. Yet few of the agencies undertook regular training or kept their staff informed on types of cyber security attack, she found.
The agencies surveyed could provide limited evidence of what cyber security training had been provided to their staff. Most agencies indicated that key staff had been trained in incident procedures but only one was able to provide any training records to support these claims, Ms Crawford said.
While the agencies are required to report incidents to the DFSI, Ms Crawford found just two agencies did so.
“Three other agencies that are required to report advised they had no incidents but would not report even if they did. None of the agencies’ procedures included a requirement to report incidents to DFSI.”
She said that most of the agencies saw little benefit in reporting incidents to DFSI, which limited the department’s ability to coordinate a whole-of-government response and support agencies to properly manage cyber security incidents.
Department lacks mandate, resources
More broadly, Ms Crawford found that the DFSI does not have “a clear mandate or capability” to ensure effective detection and response of cyber security incidents across the NSW public sector.
While the current policy sets out a range of requirements for public service agencies regarding detection and response, there is a lack of adherence by agencies to the policy, while DFSI does not have a clear mandate to enforce it.
“DFSI has not allocated resources to gather or process incoming threat intelligence and communicate it across government.”
Call for procedures, support
Ms Crawford recommended “as a matter of priority” that the DFSI should develop whole‑of‑government procedures, protocol and support systems to share reported threats and respond to incidents, including those impacting multiple agencies.
This would include post-incident reviews and communicating the lessons learnt.
DFSI should assist agencies to improve their detection and response by providing guidelines for incident detection, response and reporting; training and awareness programs; clarifying role requirements and responsibilities for cyber security across government; and providing support for agencies that have limited capability.
The department should also revise its security policy and reporting protocol by clarifying what security incidents must be reported and when, extending mandatory reporting requirements to agencies not currently covered, and developing an online portal or other means for agencies to report incidents effectively.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter.