New South Wales audit publishes “Cyber Security insights 2025” which highlights familiar problems with cyber cyber security.

July 11, 2025 |

The New South Wales Audit Office has published its report, titled Cyber Security insights 2025, on state agencies cyber health and preparedness against a cyber attack. it is a mixed report, which is a concern given the fact that the state collects and holds a vast amount of information of people of New South Wales and encourages, if not requires, people to do business with the state on line. The Report is quite critical about aspects of preparedness.

The ABC has done a story on the report with NSW audit finds gaps in state, local government cyber protections which provides:

A cybercrime expert has warned of a “worrying pattern” after government agencies were found to have implemented less than a third of basic cybersecurity protections in New South Wales.

State government agencies only met 31 per cent of mandatory requirements to protect public data, according to a report released by the Audit Office of NSW last week.

In total, 27 of these agencies reported 152 “significant, high, and extreme” cybersecurity threats in 2024.

According to the report, 28 of the threats had remedies “that were either largely or completely ineffective”.

Additionally, 60 risks lacked specified timelines to reduce them to an acceptable level.

Professor of cybercrime at the University of NSW Richard Buckland said the report’s findings showed entities were increasingly at risk.

He said that if effective, a cyber attack could “paralyse a section of society or the government”.

“This has been a pattern, a worrying pattern,” he said.

The report found a blind spot was the use of external contractors for some cybersecurity measures, for which the NSW government has no way of measuring if they were up-to-scratch. 

Professor Buckland said he understood the desire to outsource but warned it came with its own risks.

“We saw the big Microsoft blackout last year; that was really a third party used by multiple people, CrowdStrike, going wrong, so it is a big risk,”
he said.

“It’s harder to monitor, to control, so external people helping you is a double-edged sword, especially if you don’t have external capability to jump in when something goes wrong.”

It comes after Qantas reported a major cyber attack in which it said a “significant” portion of its six million customers’ data was stolen and that a “potential cyber criminal” had made contact with the airline.

Less than 70pc of council staff cyber-trained

In 2020, the personal information of more than 180,000 people was compromised by hackers who managed to access information held by Service NSW.

Responding to the attack cost the state government more than $30 million, the audit office reported.

Professor Buckland said the report pointed out the “same problem” every year and government agencies were “just not adequately defended”. 

“They [the audit office] must be tearing their hair out wondering what they can do to bring about change.”

 

The report also found local councils were lagging in their defence against nefarious online actors, with only 69 per cent training staff in cyber awareness.

It said one council suffered a ransomware attack that targeted local government records, employee financial data and systems responsible for monitoring water quality.

Councils in NSW are not mandated to implement Cyber Security NSW’s policies, but the agency recommends they adopt safeguards.

“In a way they’re [local councils] less capable, have less staff and less budget to deal with this, so I feel very sorry for them,”
Professor Buckland said.

“We’ve seen worldwide a big rise in targeted attacks against municipalities — the equivalent of councils in America — against libraries, schools, smaller and less well-funded data-rich organisations.”

Reacting to the report, Premier Chris Minns on Monday said the government had to find $90 million to “plug gaps” in cybersecurity funding.

“It is a concern. I’m going to be honest, I would like to see us meet all the criteria immediately that the auditor-general identified,” he said.

“That’s not possible though; most of the funding for cybersecurity in NSW had been cut or put on a funding cliff by the previous government.”

He warned it will cost a lot more to make all government agencies safe.

“Some of these organised crime gangs, usually located offshore, are pretty sophisticated, and we obviously have to be on our guard,” the premier said.

 

The highlights of the report are:

  • agencies need to improve further to achieve a cyber-secure NSW government.
  • because of aggregated reporting and limited independent assurance processes  there is limited visibility of cyber security and a potential risk in reporting accuracy. 
  • biggest gaps in cyber resilience are in the implementation of the minimum ‘protect’ domain controls. 
  • Agencies’ control compliance is not reported when performed by third parties. 
  • a total of 152 significant, high and extreme residual cyber security risks were reported by 27 agencies. Of the 152 risks reported,
    • 39 risks (25.6%) were not reported by agencies to their respective Audit & Risk Committees
    • 30 risks (19.7%) have a mitigation timeframe of more than one year
    • a further 60 (39.5%) risks have unspecified timing for when agencies plan to reduce the risks to an acceptable level
    • 28 risks (18.4%) were reported with treatment controls that are either largely ineffective or totally ineffective.
  • there is a lack of independent assurance over agencies’ reported compliance against the NSW Cyber Security Policy (CSP) with  59% advising they did not have independent assurance. 
  • biggest gaps in cyber resilience are in the implementation of the minimum ‘protect’ domain controls. The absence of ‘protect’ domain controls increases the likelihood of a successful cyber attack.
  • Agencies’ control compliance is not reported when performed by third parties. Agencies and Cyber Security NSW may not be aware of any non-compliance against the CSP where the cyber security control practice is provided by third parties.
  • most agencies do not fully meet the requirements of the CSP .
  • There is no reporting of control compliance when this is performed by third parties. 
  • planned or in-progress cyber security uplift programs and budget constraints were the most common reasons given for partial or non-compliance with minimum requirements.
  • 27 agencies reported a total of 152 significant, high and extreme residual cyber security risks.
  • there is a lack of independent assurance over agencies’ reported compliance with the CSP.
  • the use and adoption of cyber security frameworks is improving, but not consistently across sectors
  • 100% of the agencies  conducted cyber risk assessments however, only 77% had assessed their cyber risks against their cyber risk appetite, with 90% of these noting risks above their appetite. 
  • 84% of the agencies had comprehensive cyber security plans covering all IT systems, while 16% focused only on their most critical assets or ‘crown jewels’
  • 68% of the agencies had not undertaken a process to identify digital or electronic intellectual property assets, such as patents, copyrighted material or trade secrets
  • 24% of the agencies had not undertaken a process to identify highly sensitive digital or electronic assets, such as Cabinet-in-confidence information or data requiring security clearance like classified information.
  • Between 2019 and 2024, there was a notable increase in cyber security training and awareness exercises among agencies covered in the internal controls and governance report
  • in the local government sector, only 24% of councils had trained staff in cyber awareness in 2019 . which grew to 74%. This  dropped slightly to 69% in 2024 
  • in 2024, 45% of councils did not conduct phishing simulations. Among the 55% that did, five councils failed to provide feedback to staff who reacted inappropriately to the phishing exercise.

     

Leave a Reply