An audit of Cyber Security NSW has called on the agency to try harder to find vulnerabilities. 

Cyber Security NSW was created to help other government entities fortify themselves against hackers. However, the state’s auditor-general says it is not doing enough to ensure protections are in place.

A recent audit also raises concerns about how councils and local governments are monitored for cybersecurity vulnerabilities, and how they are reported.

The auditors’ report questions the efficacy of agencies assessing themselves, though it did not directly criticise the practice, instead calling on Cyber Security NSW to check whether any government or agency is over-inflating its security claims. 

“As a central agency whole-of-government function, Cyber Security NSW’s primary form of authority is a mandatory administrative requirements circular issued by the Secretary of the Department of Customer Service,” the audit states.

“The circular notes that clusters and agencies will be ‘…subject to audits by Cyber Security NSW commencing 2020–21 to test compliance with the Policy and reporting these outcomes to the Secretaries’ Board’.

“Cyber Security NSW has not yet performed audits of agencies to test compliance with the Cyber Security Policy. 

“This is despite the Audit Office of NSW (and an external consultant engaged by Cyber Security NSW) previously finding inconsistency in how agencies perform and report these self-assessments.

“It is unclear what method or process is applied to prioritising functions or activities, particularly longer-term initiatives. Interviews with staff and stakeholders noted that Cyber Security NSW has a service-focused, customer-centric approach to engaging with agencies and councils, including to build its reputation during its period of expansion,” the report says.

The auditors noted some serious problems with local government cyber security, partly due to a lack of funding and resources in the sector, and the inability of Cyber Security NSW to force compliance. 

“Cyber Security NSW has a remit to assist local government to improve cyber resilience, however, it cannot mandate action, and does not have a strategic approach guiding its efforts,” the audit says. 

“Among agencies and councils consulted in this audit, there was general acceptance and understanding of the high-level purpose of Cyber Security NSW, although there were mixed views on how robustly it should undertake its compliance and assurance role.

“While agencies consulted were not receptive to the idea of Cyber Security NSW playing a strong enforcement and regulatory role, there was an acknowledgement of the need to ensure that agencies were achieving, assessing, and reporting on their compliance under the Cyber Security Policy in a consistent and reliable manner.”