Transport for NSW (TfNSW) and Sydney Trains have been singled out by the state’s Auditor-General for failing to “effectively” manage their cyber security risk.
Following an audit, the two agencies were found to have "significant” cyber risks and did not have a culture where cyber security risk management is an important and valued aspect of decision‑making.
In addition, only 7.2 per cent of staff have completed basic cyber security training, the report said.
The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents and identifying the agency’s ‘crown jewels’ — their most vital systems.
However, according to the Auditor-General, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.
The two agencies use a combined Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP), but, following their own audits, found the risks to be “unacceptably high”.
As a result, the Auditor-General's report recommended that the agencies develop and implement a plan to uplift the Essential 8 controls to the agency's target state and remedy the vulnerabilities identified.
In addition, the report suggested the agencies enforce cyber security risk reporting to executives and the Audit and Risk Committee, and collect supporting information for the CSP self‑assessments.
Other areas for improvement include better identification and protection of the ‘crown jewels’ systems, better uptake of cyber training and more rigorous analysis to re‑prioritise CDP funding.
The New South Wales government first introduced a cyber security strategy at the end of 2018 as part of a bid to see agencies across the state taking an integrated approach to prevent and respond to cyber threats.
However, in the middle of last year, the NSW Government set out plans to redevelop “a comprehensive, sector-wide cyber security strategy” and called for submissions from industry and cyber security experts.
Since then, the State Government has merged the two strategies, creating a unified 2021 NSW Cyber Security Strategy.
This is underpinned by four key areas: increasing NSW government cyber resiliency, helping NSW cybersecurity businesses grow, enhancing the cybersecurity workforce and its skills and supporting cybersecurity research and innovation.