AUDITOR-GENERAL’S REPORT EXPOSES BEREJIKLIAN GOVERNMENT’S FAILURE TO MANAGE CYBER SECURITY RISKS
The Auditor General has today handed down their report into Managing Cyber Risks focusing on Transport for NSW and Sydney Trains, finding that the Government is not effectively managing cyber security risks.
Shadow Minister for Customer Service and Digital, Yasmin Catley MP said this is a scathing report that exposes the unacceptable risks to cyber security and citizen’s data under this Government.
‘It is extremely concerning that the Auditor-General’s Office discovered significant potential risks to cyber security that neither Transport for NSW or Sydney trains were aware’.
The potential risks to cyber security were significant enough that Transport for NSW, Sydney Trains, and Cyber Security NSW requested aspects of the report be redacted in order to reduce the likelihood of an attack on their systems.
This is only made worse by the agencies failing to remediate the identified security risks in the six months from December 2020.
At the Upper House Inquiry into Cyber Security conducted in February, 2021, the Deputy Auditor-General testified about the importance of executive leadership to address cyber security.
The Berejiklian Government invested $240 million to achieve this, yet the Auditor-General’s report found that neither Transport for NSW or Sydney Trains have fostered a culture that values cyber security risk management in executive decision-making.
‘The Minister must explain why despite numerous reports now from the Auditor-General and an Upper House inquiry into Cyber Security, the Government have failed to address significant weaknesses that exist in their cyber security controls’.
Just this week, the Department of Education was victim to a cyber-security attack – it is just one in a long list of cyber security failures that includes:
- A data breach of Service NSW in March 2020, resulting in leaking of the personal information of up to 186,000 people.
- A March 2021 NSW Parliamentary Committee report finding that this Service NSW data breach could have been prevented, had known risks been acted on.
- Evidence given to this Committee from the NSW Electoral Commissioner stating that a lack of funding means the Electoral Commission “does not comply… with the NSW public sector’s mandatory cyber security policies”, and that “without immediate investment, the risk of system errors or failures will be increased for the next State election to an unacceptably high level”.
- A December 2020 Auditor General report concluding that “Cyber Security NSW and NSW government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency” – a warning the Auditor General has been forced to issue three years in a row.
- A record 68 cybersecurity breaches in the latest available data for Oct to Dec 2020 – an almost 200% increase on the 23 breaches in the same quarter of the previous year.