NSW Government agencies have ineffective cybersecurity controls: report

The Audit Office of New South Wales has found that NSW Government agencies on the whole still have limited visibility of their cybersecurity and minimal controls in place to protect against cyber attacks.

The Cyber Security Insights 2025 report presents the Audit Office’s analysis of the NSW Cyber Security Policy compliance data submitted by state agencies to Cyber Security New South Wales in 2024.

The report’s further analysis of selected Auditor-General reports from 2018 and 2025 identifies that while cybersecurity governance in the NSW public sector has improved through broader adoption of policies and frameworks, there is still a critical need to:

• address unclear roles
• adequately identify information assets
• manage third-party cybersecurity risk
• address failures to meet basic protection standards
• perform phishing simulations more regularly
• align culture with cybersecurity environment to ensure controls are fit for purpose.
   

The report also states that the top three incident types reported by government entities are compromised user accounts or credentials; malware infections; and compromised assets, networks or infrastructure.

The report also found that:

• Across NSW agencies, the biggest gaps in cyber resilience are in the absence of the minimum ‘protect’ domain controls.
• Agencies’ control compliance is not reported when performed by third parties.
• Planned or ongoing cybersecurity uplift programs and budget constraints were the most common reasons agencies provided for not meeting the minimum cybersecurity requirements.
• Aggregated reporting to Cyber Security NSW reduces transparency of issues at individual agencies; especially relevant when there are portfolios of agencies with mixed or unclear cybersecurity responsibilities.
• A total of 152 significant, high and extreme residual cybersecurity risks were reported by 27 agencies and of the 152 risks reported, 28 had treatment controls that were either largely or completely ineffective. In addition, 60 risks lacked specified timelines to reduce them to an acceptable level.
   

The Audit Office advises agencies to remain vigilant as the Australian Signals Directorate and Cyber Security NSW warn that the tactics of cyber actors are evolving, with the use of more advanced hacking tools such as AI.

While agencies have responded to strategies created by Cyber Security NSW to strengthen cyber resilience across government, the report concludes “more work is needed to achieve the minimum requirements set and to manage the cyber risks faced by individual agencies.”

The Cyber Security Insights 2025 report can be found here.

Image credit: iStock.com/gorodenkoff