With the all-pervasive menace of cyber crime on the rise, a study was conducted to analyse the internal controls and governance at the 25 largest public sector agencies in NSW, Australia, for the year 2022. The study conducted by the audit office of New South Wales excluded state-owned corporations and public financial corporations. The findings of the report were startling, with the share of high-risk control deficiencies increasing to 8.2 percent, compared to 5.9 percent in 2020-2021. Among the high-risk findings, 23 were related to financial controls, while seven were related to IT controls. Control deficiencies, which were found to be repeated in the report, represented 48 percent compared to 47 percent in 2020–21. The findings related to deficiencies in information technology and general controls were no less severe. Mostly centred around user access reviews, IT deficiencies affected 56 percent of companies.
Highlights of the Report on Cybersecurity
In addition to the findings mentioned above, the report showed glaring inadequacies in the cybersecurity preparedness of many companies, as shown below:
Findings on cyber security: Even as several high-profile cyber security incidents have dented the confidence of customers, the study did not find much improvement in companies setting up controls. In fact, the self-assessed maturity levels of companies for complying with the mandatory requirements of the NSW cyber security policy were found to be lower than the target levels. Surprisingly, the maturity levels of companies under review to meet the Australian Cyber Security Centre’s Essential Eight controls were not much to brag about either. The report suggested the management of cybersecurity risks associated with third-party IT services to be improved. Such IT service providers with weak security controls can pose a risk to companies hiring their services. This is where such companies can hire the expertise of companies offering cybersecurity services, such as Cybernetic Global Intelligence, and mitigate risks. Accordingto Manish Chaudhari, CISO, Cybernetic Global Intelligence, IT service provider should not gloss over the inherent inadequacies in their IT infrastructure but work towards strengthening it. And their inability to do so can put them in the path of no return.
Consultants and contractors: It was observed that most companies under review relied on the same consultants and contractors. In fact, a quarter of them reengaged the same contractor over a period of five years. And when it came to complying with the employment screening requirements of the Government Sector Employment Act 2013 with respect to residency or citizenship, around 24 percent were found wanting. This was especially true when it came to the screening and induction practices for temporary workers. Since the practices are not followed stringently, there is an increased risk of applicants getting into the system with false credentials or corrupt conduct.
Contract management: Half of the companies surveyed had their procurement contact registers incomplete. This is definitely incompatible with the compliance requirements for the Government Information (Public Access) Act of 2009.
Other Highlights of the Report Based on a Study of the 25 Largest NSW Government Agencies
Some highlights of the report are mentioned below:
- 23 high-risk findings identified.
- 20 percent of companies did not state how they manage cyber risks pertaining to third-party IT service providers.
- Total contractor fees of $1.2 billion were spent by 25 companies in 2022.
- About 48 percent of deficiencies related to internal control were repeat findings.
- Total consultant fees paid by 25 companies in 2022 were $127 million.
- About 42 percent of companies conducted credential checks for their appointments.
Cluster Group of Companies Surveyed in the Report
The 25 companies included in the report have been broadly divided into the following clusters:
- Education
- Planning and environment
- Regional NSW
- Strong communities
- Premier and cabinet
- Transport
- Enterprise, investment, and trade
- Treasury
- Health
- Customer service
Recommendations Offered by the Audit Office NSW, Australia
The recommendations offered by the audit office of New South Wales for companies included the following:
- Repeat control deficiencies should be addressed by prioritising actions.
- Improve the cybersecurity and resilience of the companies.
- Conduct mandatory cyber training for all staff and improve the completion rates.
- Reassess the contractor engagements that have been renewed over multiple years on a regular basis.
Conclusion
According to the audit report, many companies have failed to implement strict cybersecurity controls. The deficiencies with respect to access controls, authentication, screening and induction of candidates, and others, have been found to be glaring. Manish Chaudhari, CISO, Cybernetic Global Intelligence states that if the deficiences are not addressed quickly and comprehensively, the issues could be exploited by threat actors to cause data breaches. To ringfence the IT infrastructure, comply with industry standards, and mitigate threats, companies in NSW and elsewhere in Australia, New Zealand, and the Asia Pacific region, can leverage the services of Cybernetic Global Intelligence, a premier cybersecurity company. Call 1300 292 376 or send an email to Contact@cybernetic-gi.com to learn more about addressing all cybersecurity concerns.