iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A state audit has revealed that a large majority of assessed NSW government agencies have cyber risk levels above their capabilities, and a large majority of those have no set deadlines for fixing these issues.
The audit was conducted as part of the NSW Cyber Security Policy, which was launched in 2019.
As part of the NSW Auditor-General’s report released earlier this week (2 October), the state reviewed the cyber security standing of 26 government agencies.
According to the report, of the 20 agencies that evaluated their cyber security risks, 18 assessed that “their cyber security risks were above their appetites”.
Additionally, 14 of those 18 had no set deadlines for resolving the issues but had implemented “open-ended time frames”.
Four of the 26 agencies did not provide high-risk extra cyber awareness training, three agencies had not mandated annual cyber security training or defined their training requirements, and two agencies had no funded plans to improve their cyber security at all.
The overall finding when it came to identifying and recording cyber risks was that agencies need to consolidate their methods of recording risks and reporting them.
“Despite similar frameworks, agencies have taken different interpretations of how to define and record risks,” said the report.
“The number of cyber security risks recorded by agencies ranged from one to 298. While some variance would be expected due to the size and complexity of agencies, risk registers ought to be at a level that informs and supports decision making rather than simply a list of all known vulnerabilities or potential incidents and causes of incidents.”
The report also concluded that for agencies that emphasise the importance of mandatory cyber awareness training, completion rates were low.
“Where it has been mandated that staff complete awareness training, agencies reported actual completion rates between 66 per cent and 100 per cent (22 agencies). One agency could not provide statistics on their rates of completion,” the report said.
Not including the three agencies that do not mandate the training at all, 13 of the agencies send non-completion notifications to staff managers, while the other nine inform staff directly.
Be the first to hear the latest developments in the cyber industry.
