The NSW government has been told to improve its cyber security resilience for a second time in less than two years, after the majority of agencies reported low levels of maturity under the Essential Eight model.
An annual audit of the state’s central agencies, released on Thursday, reveals the NSW public sector is struggling to meet new requirements under the government’s new cyber security policy.
The policy, which came into effect in February, requires agencies to self-assess their maturity against the mitigation strategies – now considered the baseline for cyber security by the Australian Signals Directorate.
It was introduced in the wake of a 2018 audit that found agencies were lacking the capacity to detect and respond to cyber security indictments, as well as the absence of a government-wide capability to detect and respond to cyber security events.
Agencies are able to assess themselves under four levels of maturity: zero, one, two and three. Three of these levels are found on the Essential Eight, while ‘maturity level zero’ is limited to the NSW policy.
The policy also introduces a number of other requirements, including that agencies identify their most critical systems or ‘crown jewels’ and report them to the whole-of-government cyber security office, Cyber Security NSW.
But in the 10 months since the policy came into effect, the 62 assessments received by Cyber Security NSW highlights “limited progress in implementing the Essential Eight”, the NSW auditor said.
“NSW Government agency self-assessment results show that the NSW Public Sector's cyber security resilience needs urgent attention,” the audit [pdf] states.
Of the 62 assessments completed, the majority have reported low levels of maturity with all Essential Eight mitigation strategies for servers, which the auditor said “generally poses the greatest cyber security risk”.
Areas of particular concern include application whitelisting and user application hardening, with 90 percent and 94 percent of assessments in these respective areas falling into the maturity level zero or one category.
The highest levels of maturity, on the other hand, were around daily backups (38 maturity level three and four assessments) and patch operating system (27 maturity level three and four assessments).
The auditor has called on Cyber Security NSW to work with agencies to “improve cyber security resilience as a matter of urgency”.
It is now planning to conduct a ‘cyber security and digital disruption’ performance audit, which will be published in mid-2020.
The audit will examine how effectively agencies are identifying and managing their cyber security risks, including compliance with the cyber security policy.