The NSW government has been chided for failing to have proper processes in place to protect its agencies from cyber attacks.
The NSW auditor-general, in a damning report published on Friday, found the state's public sector had "no capability" to effectively detect and respond to cyber security incidents.
Agencies shared little information about incidents between them and some had poor practices and procedures, the review by Margaret Crawford concluded.
"I am concerned that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage will be lost," she said in a statement.
"The NSW government needs to establish a clear whole-of-government responsibility for cyber security that is appropriately resourced to ensure agencies report incidents, information on threats is shared and the public sector responds in a co-ordinated way."
The report warned that information could be stolen, systems could be hijacked for profit or malicious purposes, and access to critical technology could be denied if incidents weren't properly dealt with.
The audit looked at 10 agencies, as well as the Department of Finance, Services and Innovation (DFSI), which is responsible for cyber security.
Only two agencies were found to have good detection and response processes, with most relying on an automated tool for alerting IT administrators when there's a suspected incident.
Cyber security training for staff was also limited, and who was responsible for what within each agency was unclear.
"Incident detection and response are likely to be less effective if roles and responsibilities are not clear," the report said.
It found DFSI does not have a clear mandate to assess whether agencies are able to effectively detect and respond to incidents, nor can it force them to report incidents or threats.
The department hasn't allocated any resources to gather and process incoming threat intelligence and spread the word across government.
"During an incident impacting multiple agencies, this could reduce the NSW public sector's ability to respond quickly and appropriately."
The government says it takes the report's findings "very seriously".
"We acknowledge that more must be done to protect our systems and ensure they are resilient and fit-for-purpose in the digital age," Minister for Finance, Services and Innovation Victor Dominello said in a statement.
He noted the government had recently appointed a chief information security officer to improve cyber security co-ordination and support across agencies.
Share
