NSW govt warned its cyber resilience needs "urgent attention"

The NSW government has been told to urgently improve its cyber security resilience for a third straight year after agencies again reported low levels of maturity against the Essential Eight.

The finding is contained in an annual audit of the state’s central agencies, which looked at self-assessments against controls now considered the state’s baseline for cyber security.

Under the government’s cyber security policy, which was introduced in 2019 after an audit first sounded the alarm about cyber security, agencies are required to implement the Essential Eight.

The Essential Eight is a series of baseline cyber security mitigation strategies and a maturity model recommended by the federal government.

NSW has one of the stricter cyber security regimes at any level of government, going well beyond the frequently ignored Top Four control mandate at the federal level.

NSW government agencies are able to assess themselves under four levels of maturity: ‘maturity level zero’, ‘maturity level one’, ‘maturity level two’ and ‘maturity level three’.

Three of these levels are found in the Essential Eight, while ‘maturity level zero’ is a NSW government construct.

Results of the self-assessment are provided to the head of the agency and the whole-of-government cyber security office, Cyber Security NSW.

But almost two years after the self-assessment requirement was introduced, the auditor last week found “limited progress” with the implementation of the Essential Eight.

“NSW government agency self-assessment results show that the NSW public sector’s cyber security resilience needs urgent attention,” the report states.

In the 103 assessments submitted, the vast majority of agencies reported either maturity level zero or maturity level one with the Essential Eight – similar to an audit of the controls last year.

Application whitelisting and user application hardening continue to be the areas of greatest concern, with 70 percent and 45 percent of respective assessments falling into maturity level zero.

Level zero for application whitelisting means an agency has “not fully implemented” an application whitelisting solution on workstations and is not performing application whitelisting on servers.

For user application hardening, “requirements for privileged accounts are not consistently validated” by agencies, with “no duties-based restrictions on privileged accounts… applied”.

Around 38 percent of agencies also fell into the bottom category for application patching, while operating system patching (32 percent) was also lowly rated.

Daily backups and restricting administration privileges were the best performing controls, followed by configuring Microsoft office macros and multi-factor authentication.

Like it did in 2019, the auditor-general has recommended that “Cyber Security NSW works with agencies to improve cyber security resilience as a matter of urgency”.

The auditor-general is also planning to conduct an audit later this financial year to examine whether agencies are complying with the cyber security policy.

Another audit of Service NSW’s cyber security is currently underway – at the request of Customer Service Minister Victor Dominello – after an email account compromise exposed 736GB of data.

The NSW parliament has similarly opened a cyber security inquiry following the Prime Minister’s cyber security warning to the nation in June.

The government is planning to spend $240 million over the next three financial years to improve cyber security across government and increase the size of its cyber workforce.

It has already pledged to grow Cyber Security NSW from around 25 staff to 100 in a bid to help smaller agencies, as well as councils, with their IT security needs.