Third-party management of cyber ‘a significant challenge’, NSW Audit Office claims

By on
Third-party management of cyber ‘a significant challenge’, NSW Audit Office claims

The number of cyber incidents involving systems owned or managed by third parties nearly tripled in 2024, including a rise in data breach occurrences, according to a report released by the NSW Audit Office.

The risks associated with third–party systems have also “significantly increased in the NSW Government,” Cyber Security NSW said in the report.

Titled ‘Cyber security insights 2025’, the report is made up of analysis of the NSW Cyber Security Policy (CSP) compliance data submitted by State agencies to Cyber Security NSW in 2024, along with insights into the cyber security environment drawn from selected reports published between 2018 and 2025. 

The analysis includes reports from performance audits, compliance audits and financial audits.

“Third-party cyber risk management is a significant challenge given the prevalence of cases of cyber security incidents involving third parties,” the report stated.

The Audit Office said in the report that third-party compliance with minimum CSP requirements may be known to the agency but is not reported to Cyber Security NSW.

“An absence of clear reporting risks agencies and Cyber Security NSW not knowing about non-compliance against the CSP where the cyber security control practice is provided by the third parties,” the report said.

The highest level of third-party reliance that is not reported or assessed against CSP requirements is in the ‘Protect’ domain. This domain covers all ACSC Essential Eight controls, and controls for access, data, email and network security. 

“When in place and effective, these technical controls provide preventative protection against cyber attacks,” the report said.

The CSP is mandated for NSW Government departments and public sector agencies. It is not mandatory but recommended for adoption for state-owned corporations, local governments and universities. 

By 31 October each year, agencies are required to report their CSP compliance status (as either [non-compliant], [partial compliant], or [compliant]) and high or extreme residual risks. They must also provide a cyber security attestation to Cyber Security NSW. 

Most are not meeting CSP requirements

The analysis of the 2024 data reported to Cyber Security NSW shows that NSW State agencies need to improve further to achieve a cyber-secure NSW government, according to the report.

66 reports were provided to Cyber Security NSW in 2024 representing 177 agencies, whereas 110 were provided in 2023. This is due to changes in aggregated reporting at a portfolio level instead of at individual agency level. 

A total of 152 significant, high and extreme residual cyber security risks were reported by 27 agencies; 28 had treatment controls that were either largely or completely ineffective. In addition, 60 risks lacked specified timelines to reduce them to an acceptable level.

Across NSW agencies, the biggest gaps identified in cyber resilience were in the implementation of the minimum ‘protect’ domain controls. 

“Most agencies are not fully meeting the requirements of the Cyber Security Policy – particularly, those of the ‘Protect’ domain, for which only 31 per cent of the Mandatory Requirements are met,” the report said.

The Mandatory Requirements are a minimum baseline for NSW Government agencies to implement, containing a combination of management and governance practices required to establish an effective cyber security program, as well as key systems-based controls to improve cyber hygiene and help agencies better protect themselves against common threats.

The CSP, last updated in February 2024, sets out Mandatory Requirements across three domains: ‘Govern and Identify’; ‘Detect, Respond and Recover’; and ‘Protect’. 

Planned or ongoing cyber security uplift programs and budget constraints were the most common reasons agencies provided for not meeting the minimum cyber security requirements.

A lack of independent assurance over agencies’ reported compliance against the CSP was also highlighted in the report, with 59 per cent of reporting agencies advising they did not have independent assurance. 

“The absence of independent assurance increases the risk of inaccurate data being reported to Cyber Security NSW,” the report stated.

Essential Eight maturity also lacking

When auditing cyber security management within NSW state agencies, universities and the local government sectors between 2018 and 2025, the report found that many agencies have not met level one Essential Eight cyber protection measures.

Some agencies reported zero maturity for critical controls such as application control, patching and administrative privilege restrictions.

Elsewhere, the report said that many entities reported cyber security risks exceeding their risk appetite, but not all have a formal uplift program. 

“A current cyber security uplift program is vital for managing residual risks,” the report said. 

“Budget constraints and other challenges reported by NSW agencies may also apply to universities and local government sectors.”

The report also suggested that while testing of cyber incident response plans could improve, along with the development of more comprehensive playbooks, the adoption and use of cyber security policies and frameworks was improving, as was cyber security awareness training.

Cyber Security NSW recently received $87.7 million to work with government entities to prevent, detect and recover from cyber incidents.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
cyber security insights 2025 cyber security nsw nsw audit office nsw cyber security policy nsw government security

Partner Content

Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes

Sponsored Whitepapers

F5’s 2025 Report: Unlocking AI Success by Conquering App & API Complexity
F5’s 2025 Report: Unlocking AI Success by Conquering App & API Complexity
Driving Innovation and Sustainability through Hybrid IT and AI Solutions
Driving Innovation and Sustainability through Hybrid IT and AI Solutions
Easing the burden of Microsoft CSP management
Easing the burden of Microsoft CSP management
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan

Events

techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025
techpartner.news Benchmark Security Awards 2025
techpartner.news Benchmark Security Awards 2025

Most read articles

Kaaren Lewis and Mo Kandeel join Ingram Micro leadership team

Kaaren Lewis and Mo Kandeel join Ingram Micro leadership team
Evergreen hungry for more Australian MSPs

Evergreen hungry for more Australian MSPs
Department of Education Victoria tenders for school software panel

Department of Education Victoria tenders for school software panel
Tech Data's Robbie Upcroft promoted as Andy Berry retires

Tech Data's Robbie Upcroft promoted as Andy Berry retires

Log in

Email:
Password:
  |  Forgot your password?