A NSW cybersecurity agency whose taxpayer funding was recently increased by 300% has failed to ensure the government follows its own anti-hack policies, a new report has found.
The minister responsible for the agency refused to comment following the NSW auditor-general’s scathing report.
Cyber Security NSW was criticised by the auditor-general, Margaret Crawford, for not making sure other agencies comply with policies meant to protect people’s personal data.
“Cyber Security NSW has a remit to carry out audits of agencies’ self-assessments, but it has not carried out these audits and does not seek its own assurance of the results of these self-assessments,” Crawford wrote in the report.
“It is not sufficiently addressing previously identified inconsistencies and inaccuracies in how those self-assessments are performed and reported.”
Crawford also said the agency “does not clearly and consistently communicate its key objectives” nor reliably or meaningfully measure progress on them.
The report also found councils and other agencies were confused as to what specific services Cyber Security NSW provided, and that in any case, the cyber agency “cannot mandate action and does not have a strategic approach guiding its efforts”.
It comes after several high-profile hacks in recent years that compromised the personal information of NSW residents.
In March 2020, Cyber Security NSW’s parent agency Service NSW was hit by a cyber attack that resulted in the leak of data belonging to more than 100,000 individuals.
NSW Health and Transport for NSW have also had data compromised in hacks in recent years.
Cyber Security NSW has received $60 million in funding over the past three financial years, a 300% increase from its previous yearly funding of $5 million.
Staff numbers were expected to quadruple in the same period, from 25 to 100.
NSW Customer Service Minister Victor Dominello said at the time of the funding boost that it would be the “biggest single cybersecurity investment in national history and will strengthen the government’s capacity to detect and respond to the fast-moving cyber threat landscape”.
Dominello’s office did not respond to repeated requests for comments from Crikey on Wednesday and Thursday.
When a spokesperson for the minister finally responded to a message on Thursday morning it was only to say: “Minister won’t be commenting.”
A Cyber Security NSW spokesperson said the agency accepted all the recommendations made by Crawford and that it was “developing an assurance methodology to support NSW government agencies to consistently assess and report their compliance with” security policies.
“NSW government has invested $315 million to bolster cybersecurity in the state,” the spokesperson said.
“In 2022 CSNSW hosted the 2022 Cyber Insights Series: Beyond Essential Eight … a recurring theme throughout the discussion was that no one framework could serve as the “be all and end all” for robust cybersecurity.
“It is crucial each organisation pursues cybersecurity uplift which considers their own risk profile and resources.”
Labor’s customer service spokesperson Yasmin Catley said she was “concerned” that the agency’s opt-in approach “will leave local councils with unmanaged cybersecurity risks”.
“Addressing this issue should be a priority for the next Parliament,” she said.
“The auditor-general’s finding that Cyber Security NSW have failed to audit agency self-assessments of their compliance with the NSW Cyber Security Policy is deeply concerning.
“Labor understands with the continued digitisation of government services and now shared data between the state and federal governments, it is critical that cybersecurity is a priority policy and investment area for all governments. We must ensure we maintain the trust of citizens that we can protect their data.”
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.