The NSW auditor-general has blasted the state's agencies for lacking the capacity to react to cyber security incidents, urging the government to immediately introduce stronger practices.
The state's audit office today released its report [pdf] into the public sector’s ability to detect and respond to cyber security incidents, focusing on 10 unnamed agency case studies and the Department of Finance, Services and Innovation's role as lead agency for cyber security.
It found instances of “poor detection and response practices and procedures”, as well as the absence of a “whole-of-government capability to detect and respond effectively to cyber security incidents”.
The audit specifically targeted “agencies that should have a strong detection and response capability as they are collectively responsible for personal data, critical infrastructure, financial information and intellectual property".
Of the 10 agencies audited, only two were found to have good detection and response processes, including “monitoring firewall logs, server logs, web filtering and antivirus software, and alerts and reports from IT service providers”.
The remaining eight had either a low or medium detection capability, which the audit office noted was a “concern” given “undetected incidents have the potential to not only damage that agency but to spread and impact other agencies".
Most agencies were found to “use an automated [SIEM] tool for detecting and alerting IT administrators” when a suspected incident occurred, but coverage “ranges from 100 percent of IT systems in some agencies we reviewed to just a few key systems in others”.
Two agencies were identifed as having no access to a SIEM tool, and were said to only "review their logs and alerts periodically or on an ad hoc basis".
“Overall, this means that some case study agencies only have partial coverage of IT systems, limiting their ability to detect incidents across the full range of their information systems,” the audit office said.
The auditor suggested this could mean agencies were “relying instead on contractual arrangement and advice from IT service providers”.
However, problems were also identified with the contractual obligations of IT service providers to report incidents to agencies, with only two of the 10 agencies having arrangements in place.
“Agencies without such arrangements have little assurance that they are advised of all significant incidents in a timely way,” the audit office said.
“Where agencies are not informed of an incident, they cannot act to contain the incident and limit damage to themselves and their stakeholders.”
While most agencies had some form of incident response procedures, “some lack[ed] guidance on who to notify and when”, and others had no response procedures at all.
“Eight agencies had not tested their procedures, presenting a risk they may not work well during a real cyber incident.”
Some agencies were also found not to have reported incidents to DFSI despite being it a mandatory requirement, while others said they wouldn’t report if a cyber security incident had occurred “because they saw little benefit” in doing so.
In one instance, an agency waited 36 days to inform Finance of an email phishing incident aimed at gathering staff credentials to create fraudulent payments. It was eventually resolved after 49 days.
“This limits DFSI's ability to coordinate a whole-of-government response and support agencies to properly manage cyber security incidents,” the office said.
However, the report also criticised DFSI’s guidelines on which incidents should be reported as being “weak”, with no mechanism for agencies to share information after cyber incidents had been resolved.
It said the appointment of a government chief information security officer last year went some way to improving co-ordination across the public sector, but DFSI had “not allocated resources to gather or process incoming threat intelligence and communicate it across government”.
The audit office has urged the public sector to “significantly and quickly” improve its ability to detect and respond to incidents.
It recommended revising the state's digital information security policy, and creating a range of best practice guidelines and training and awareness programs as a matter of priority.
The government should also develop an incident reporting mechanism for agencies, and direct agencies to include a standard clause in contracts that requires “IT service providers to report all cyber security incidents”, the audit office said.
In response to the audit report, the NSW government said it would “take the report’s findings very seriously and will endeavour to implement its recommendations”.
“We acknowledge that more must be done to protect our systems and ensure they are resilient and fit-for-purpose in the digital age.”