The New South Wales Public Sector’s cybersecurity resilience “needs urgent attention”, according to a recent audit report from the state audit office.

Auditor-General Margaret Crawford’s latest audit into NSW central agencies found “more work needs to be done” to improve cybersecurity resilience, based on agency self-assessments.

NSW agencies are required to conduct an annual maturity self-assessment against the Australian Cyber Security Centre’s eight key mitigation strategies, to be delivered to agency heads and the state cybersecurity agency.

The Essential 8 sets out mitigation strategies to prevent malware delivery and execution, to limit the extent of cybersecurity incidents, and to recover data and maintain system availability. They include:

Application whitelisting,

Patch applications,

Configure Microsoft Office macro settings,

User application hardening,

Restrict administrative privileges,

Patch operating systems,

Multi-factor authentication,

Daily backups.

Under the Essential 8 model, three levels of “maturity” allow agencies to assess whether their implementation of the mitigation strategies align with the intent of each strategy. The NSW policy uses an extra level — maturity level zero — to indicate where maturity levels fail to align with the intent of a mitigation strategy.

At the time of the audit, Cyber Security NSW had received 62 completed self-assessments across the eight areas. Of these, the majority reported low levels of maturity, and “highlighted limited progress in implementing the Essential 8”.

Out of the 62 self-assessments for application whitelisting, 53 fell into the maturity level zero category. Only four were assessed as maturity level three (fully aligned with the intent of the mitigation strategy).

For the user application hardening strategy, 45 of 62 reports were rated as maturity level zero, with only one self-assessment fully aligning with the intent of the strategy.

The daily backups strategy indicated the highest level of maturity overall, with 27 maturity level three assessments.

Crawford recommended Cyber Security NSW work with agencies to improve cybersecurity resilience “as a matter of urgency”.

The auditor-general made similar recommendations in March 2018, stating:

“Given current weaknesses, the NSW public sector’s ability to detect and respond to incidents needs to improve significantly and quickly.”