The Queensland public sector has invested in building cyber resilience but public sector entities still aren’t as prepared as they need to be, a performance audit says.

A report by the Queensland Auditor General investigates the preparedness of public sector entities to respond to and recover from cyber security incidents.

It says the Cyber Security Unit (CSU) has been working with entities to boost information security management, while the government has invested in measures to support government owned corporations and local councils.

But just having plans isn’t enough, auditor Brendan Worrall says.

“They need to test their plans and readiness. They need to identify and address any skills gaps they have for dealing with cyber incidents.

“Also, some entities do not yet know about the services CSU provides, and CSU does not know which entities most need its help and expertise.”

Room for improvement

The audit examined two lead entities for guiding cyber security across the state government and three other entities with various levels of resourcing. The entities were not named for security reasons.

“The entities we audited had plans for managing cyber incidents, but all had room to improve,” the report concludes.

“Their plans were not always well integrated with their risk management strategies, did not incorporate cyber insurance requirements, and were not designed to respond to a wide range of threats.”

 One entity had been thwarted by continuing machinery of government changes.

Some needed to be clearer on roles and responsibilities and on how to escalate their responses to cyber incidents, and only one entity had tested its incident response plan.

 All entities need to do more to ensure they can communicate effectively in a cyber crisis, the report says.

The audit found some entities didn’t even have a proper understanding of their critical systems and information assets, and relied heavily on third parties or other government entities when dealing with cyber incidents.

Nearly 94,000 cyber crime reports across Australia were made to the ACSC in 2022–23, a  23 per cent increase in one year. Queensland accounted for 30 per cent of these reports, which is disproportionate to its population size, Mr Worrall said.

The report specifically calls on the Department of Housing, Local Government, Planning and Public Works to do more to ensure councils are aware of resources available through CSU.

“The expertise of CSU is of great potential value to public sector entities, but not all the entities were aware of the breadth of services it offers,” the report says.

“CSU has recently provided services to local governments. These entities – particularly the regional, rural, and remote councils – could benefit from accessing these to help protect themselves against cyber threats.

“This would help them be more aware of the risks they are facing and of the training, guidance, and resources they can access to help them deal with cyber threats.”

The report makes 14 recommendations and provides a checklist of key questions for executive management, boards, and councillors to consider when planning how to respond to and recover from cyber security incidents. 

See the better practice guides here.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter