Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The NSW government may have left itself open to potential cyber attacks after it was discovered that over two-thirds of all agencies have not updated their protections to mandatory levels.
The Cyber Security Insights 2025 Report, released by the NSW Auditor-General, found that only 31 per cent of government agencies had implemented mandatory protection controls.
According to the report, agencies performed worst in the “protect” domain, which regards essential cyber security protections such as multifactor authentication, network security and regularly updating software.
“The absence of ‘protect’ domain controls increases the likelihood of a successful cyber attack,” said the report.
The report also found that a number of agencies still had zero maturity for critical protections.
Most agencies cited budget constraints and ongoing cyber programs as the reason for not meeting minimum requirements.
Additionally, agencies relying on third parties did not have control compliance reported, meaning that they may be unaware of non-compliance against the state Cyber Security Policy, which outlines mandatory requirements.
This is especially concerning at a time when third-party cyber incidents are increasing, according to Cyber Security NSW.
“Third-party cyber risk management is a significant challenge. When outsourcing, entities retain accountability for managing associated risks. Cyber Security NSW reported that the number of incidents involving systems owned or managed by third parties nearly tripled in 2024, including a rise in data breach occurrences,” it said.
Most alarming is the lack of Essential Eight cyber protection being met, despite it being a key focus for the government for years.
“Many agencies have not met level one Essential Eight cyber protection measures despite this approach being a focus for many years. Some agencies reported zero maturity for critical controls such as application control, patching and administrative privilege restrictions.
“Of the 66 out of 177 agencies that reported, 27 reported “a total of 152 significant, high and extreme residual cyber security risks,” the report said.
On the plus side, Cyber Security NSW found that awareness training has improved across government agencies. In 2021, ninety-two per cent of agencies had conducted cyber security training, up from 70 per cent in 2019. Ninety per cent had conducted awareness exercises in 2022, and in 2024, twelve per cent of reviewed agencies had not defined their cyber security training requirements or their mandated annual cyber security training.
However, despite 96 per cent having performed phishing simulations, the report suggests that they should be used more commonly.
“Human errors are often a common cause of cyber attack, as cyber criminals frequently target individuals through phishing and other methods to infiltrate networks,” the report said.
Be the first to hear the latest developments in the cyber industry.
