NSW Auditor-General releases cybersecurity insights report

The Auditor‑General for New South Wales has released the report ‘Cyber security insights 2025’, presenting an analysis of the NSW Cyber Security Policy compliance data submitted by state agencies to Cyber Security NSW in 2024, along with insights into the cybersecurity environment drawn from selected reports published between 2018 and 2025.

The analysis includes reports from performance audits, compliance audits and financial audits.

With the globally increased risk of cybersecurity incidents, there is also increased risk of harm to government service delivery, including the theft of information, breaches of private information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent. These outcomes can have adverse impacts on the community and harm trust in government.

Key insights from the report’s analysis of Cyber Security Policy compliance data include:

• the need for agencies to focus on the cyber resilience gaps, particularly in implementing ‘protect’ domain controls;
• a lack of independent assurance over agency reporting against the Cyber Security Policy;
• limited oversight of third-party providers; and
• risk that aggregate reporting reduces visibility into agency compliance levels and cyber risks.
   

The report’s analysis of selected Auditor-General reports from 2018 and 2025 identifies that while cybersecurity governance in the NSW public sector has improved through broader adoption of policies and frameworks, there is still a critical need to:

• address unclear roles;
• adequately identify information assets;
• manage third-party cybersecurity risk;
• address failures to meet basic protection standards;
• perform phishing simulations more regularly; and
• align culture with the cybersecurity environment to ensure controls are fit for purpose.
   

The report found that:

• 69% of the ‘Protect’ mandatory requirements in the NSW Cyber Security Policy were not fully met by reporting agencies;
• 152 significant, high and extreme residual cybersecurity risks in total were reported by 27 reporting agencies in FY2024; and
• 59% of reporting agencies did not have independent assurance over their assessment of NSW Cyber Security Policy requirements in FY2024.
   

The reality of cyber threats is evident from monitoring and reporting by the Australian Signals Directorate (ASD) and Cyber Security NSW, and from the case studies included in the report. The ASD highlights in its Annual Threat Report 2023–24 that the top three incident types reported by government entities are:

• compromised user accounts or credentials;
• malware infections; and
• compromised assets, networks or infrastructure.
   

The report reminds agencies that they should remain vigilant, with the ASD and Cyber Security NSW reporting that the tactics of cyber actors are evolving — with the use of more advanced hacking tools, such as artificial intelligence. Cyber Security NSW also emphasises that the risks associated with third-party systems have significantly increased in the NSW Government. The number of reported incidents involving third-party owned or managed systems has tripled in the last reporting year.

Cyber Security NSW continues to create and implement strategies to strengthen cyber resilience across all entities, enabling a cyber-secure NSW Government. NSW Government entities have responded to these strategies, but more work is needed to achieve the minimum requirements set by Cyber Security NSW and to manage the cyber risks faced by individual agencies.

The report can be found here.

Image credit: iStock.com/Blue Planet Studio