07-07-2025
NSW audit finds gaps in state, local government cyber protections
A cybercrime expert has warned of a "worrying pattern" after government agencies were found to have implemented less than a third of basic cybersecurity protections in New South Wales.
State government agencies only met 31 per cent of mandatory requirements to protect public data, according to a report released by the Audit Office of NSW last week.
In total, 27 of these agencies reported 152 "significant, high, and extreme" cybersecurity threats in 2024.
According to the report, 28 of the threats had remedies "that were either largely or completely ineffective".
Additionally, 60 risks lacked specified timelines to reduce them to an acceptable level.
Professor of cybercrime at the University of NSW Richard Buckland said the report's findings showed entities were increasingly at risk.
He said that if effective, a cyber attack could "paralyse a section of society or the government".
"This has been a pattern, a worrying pattern," he said.
The report found a blind spot was the use of external contractors for some cybersecurity measures, for which the NSW government has no way of measuring if they were up-to-scratch.
Professor Buckland said he understood the desire to outsource but warned it came with its own risks.
"It's harder to monitor, to control, so external people helping you is a double-edged sword, especially if you don't have external capability to jump in when something goes wrong."
It comes after Qantas reported a major cyber attack in which it said a "significant" portion of its six million customers' data was stolen and that a "potential cyber criminal" had made contact with the airline.
In 2020, the personal information of more than 180,000 people was compromised by hackers who managed to access information held by Service NSW.
Responding to the attack cost the state government more than $30 million, the audit office reported.
Professor Buckland said the report pointed out the "same problem" every year and government agencies were "just not adequately defended".
"They [the audit office] must be tearing their hair out wondering what they can do to bring about change."
The report also found local councils were lagging in their defence against nefarious online actors, with only 69 per cent training staff in cyber awareness.
It said one council suffered a ransomware attack that targeted local government records, employee financial data and systems responsible for monitoring water quality.
Councils in NSW are not mandated to implement Cyber Security NSW's policies, but the agency recommends they adopt safeguards.
"We've seen worldwide a big rise in targeted attacks against municipalities — the equivalent of councils in America — against libraries, schools, smaller and less well-funded data-rich organisations."
Reacting to the report, Premier Chris Minns on Monday said the government had to find $90 million to 'plug gaps' in cybersecurity funding.
'It is a concern. I'm going to be honest, I would like to see us meet all the criteria immediately that the auditor-general identified,' he said.
'That's not possible though; most of the funding for cybersecurity in NSW had been cut or put on a funding cliff by the previous government.'
He warned it will cost a lot more to make all government agencies safe.
"Some of these organised crime gangs, usually located offshore, are pretty sophisticated, and we obviously have to be on our guard," the premier said.
