Against an increasingly challenging cyber landscape, last year Cyber Security NSW continued its multifaceted approach to bolster the cyber security of the NSW Government, with some of our key achievements towards this goal detailed below.
Notably, Cyber Security NSW has now completed all four recommendations outlined in the Audit Office of NSW’s report ‘Cyber Security NSW: governance, roles, and responsibilities’. This includes developing an assurance methodology to support NSW Government agencies to consistently assess and report their compliance with the NSW Government Cyber Security Policy, as well as publishing a strategic plan, service catalogue and local government engagement plan.
In line with its mandate, Cyber Security NSW assists NSW Government entities in managing their cyber risk through a wide range of products and services, and provides strategic cyber security leadership.
Cyber security is a whole-of-business risk that is owned by each organisation. As the digital landscape evolves, NSW Government entities take a proactive approach to cyber security through risk management, as they are the custodians of a wealth of data and provide vital public services.
Cyber Security NSW’s initiatives enhance NSW’s all-of-government cyber resilience, with the central goal of protecting the confidentiality, integrity and availability of NSW Government systems and services. This encompasses not only technical controls, but also the people and processes elements of cyber security.
Each NSW Government entity has its own unique risk profile, shaped by factors such as size and the nature of its operations. Understanding each profile is key to implementing tailored risk mitigation strategies that address the specific threats and challenges faced by that organisation.
Cyber Security NSW assists in the cyber uplift of NSW Government entities through:
- security assessments to identify strengths and areas requiring improvement
- awareness and training to improve cyber hygiene among staff
- advice and guidance on risk and implementation of the NSW Cyber Security Policy
- proactive and targeted threat intelligence and recommended mitigations in the NSW context
- incident response when cyber security incidents occur.
These services are tailored as required, enabling NSW Government entities to move beyond compliance requirements and focus on building robust cyber security capabilities that can adapt to evolving threats.
Cyber Security NSW’s offerings improve the management of the NSW Government’s cyber risk and enhance our cyber security capability holistically. The impact of tailored cyber security products and services is often intangible and preventive in nature, making it challenging to measure in concrete terms. The value lies not just in averting potential breaches, but also in safeguarding sensitive data and ensuring business continuity.
In addition to providing services directly to NSW Government departments, agencies and local councils, Cyber Security NSW also collaborates with an array of stakeholders to support a cyber-secure NSW Government. This involves working closely with cyber security agencies across states, territories and nationally, and other relevant bodies.
Revamped NSW Cyber Security Policy
One of our major pieces of work in 2023 was the new NSW Cyber Security Policy. Incorporating recommendations from the Audit Office of NSW and an independent review commissioned by Cyber Security NSW, extensive consultation occurred with agencies across the government sector to significantly update the NSW Cyber Security Policy and ensure it is fit for purpose.
The policy now includes:
- an assurance assessment, to help assure the annual reporting against the NSW Cyber Security Policy that NSW Government agencies submit to Cyber Security NSW – this will provide a more accurate and comprehensive picture of all-of-government cyber security uplift, enabling Cyber Security NSW to better track progress across the NSW Government
- threat-based requirements and metrics, to help ensure that an agency’s cyber security uplift is most effective for the threats to its cyber environment
- best practice guidance for cloud and operational technology, to ensure that the policy accounts for the proliferation of this technology across the NSW Government.
The updated NSW Cyber Security Policy has now been released.
Strategies and plans guiding our work
In early 2023, we released the Cyber Security NSW Service Catalogue, which details the wide variety of products, services and best practice advice and guidance available to departments, agencies and local councils.
We also published our first Cyber Security NSW Strategic Plan (PDF, 1008.05 KB), which outlines our strategy for achieving our vision of a cyber-secure NSW Government and includes key performance indicators (KPIs) we will use to measure our progress towards this ultimate goal. As this inaugural version outlines the plan for the 2023-2024 financial year, we will release an updated strategic plan in mid-2024, which will include our reporting against the KPIs for the previous period.
We launched the Cyber Security NSW Local Government Engagement Plan (PDF, 285.36 KB), which outlines the strategic approach to local government sector engagement, including its streams of engagement, expectations of local government entities, prioritisation strategy and challenges to consider. This will be complemented by the Cyber Security NSW Engagement Plan for Departments, Agencies and Other Government Entities, set to be released this year.
Responding to major data breaches and cyber attacks
Cyber Security NSW worked closely with ID Support NSW to lead the NSW Government response to significant cyber attacks and data breaches that impacted our state’s communities, organisations and individuals. Several notable incidents impacted NSW in 2023, including the HWL Ebsworth cyber attack and the claimed ransomware attack against the Crown Princess Mary Cancer Centre.
When these and other major incidents occurred, Cyber Security NSW coordinated with federal, state and territory cyber security agencies and law enforcement, including the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) and the NSW Police Force, to assist ID Support NSW in notifying those impacted. Cyber Security NSW also provided services to impacted NSW Government entities and communicated relevant warnings and insights.
NSW Government Cyber Threat Report
Cyber Security NSW released the restricted 2023 NSW Government Cyber Threat Report in September, which analysed every cyber event and cyber incident reported by departments, agencies and local councils over the 2022-2023 financial year.
The report highlighted trends and insights on cyber threats and incidents impacting NSW Government entities and found that threat actors continue to employ social engineering techniques when targeting the NSW Government.
Phishing attempts, for example, continue to play a significant role in reported incidents.
Cyber Security NSW is using the insights derived from the 2023 NSW Government Cyber Threat Report to guide its strategies and initiatives.
Please note that due to the sensitive nature of the report, it is only shared with a restricted audience of relevant government stakeholders.
Cyber Security NSW Summit
In September we held the inaugural Cyber Security NSW Summit, which provided a professional development opportunity for the NSW Government’s cyber security workforce and demonstrated the importance of collaboration and networking.
The summit featured a plenary panel on cyber security in today’s world and beyond, which explored insights and trends across the industry. The summit also included presentations from public and private sector cyber security experts and leaders.
Topics covered included cyber security and the role of artificial intelligence, translating cyber to connect with executives in their business language, managing cyber incidents with internal and external stakeholders, the future of cyber security awareness and training and cyber security case studies.
All speakers echoed the sentiment that cyber threats present a whole-of-business risk; cyber security can’t be the responsibility of IT teams alone.
In recognition of the summit’s theme ‘connect, innovate, empower – stronger together’, the Hon Jihad Dib MP, Minister for Customer Service and Digital Government, announced that Cyber Security
NSW would sponsor 20 staff from across the NSW Government and local councils to complete TAFEcyber’s ACSC Essential Eight Assessment Course.
The Essential Eight Assessment Course uses a blend of specialist knowledge, experience and hands-on technical training to enable cyber security and information and communication technology (ICT) professionals to understand the ACSC’s Essential Eight Assessment Guidance Package as well as the Essential Eight Maturity Model. Now that they have completed this course, the sponsored NSW Government staff are equipped to assess and improve their organisation’s cyber security posture.
Protecting the NSW Government from email spoofing
Cyber Security NSW has moved nsw.gov.au domains from a domain-based message authentication, reporting and conformance (DMARC) status of ‘none’ (monitoring) to ‘reject’ (full enforcement). The reject status provides one of the most effective methods of combating email spoofing and phishing attacks. Approximately 15,000 NSW Government subdomains have now inherited the ‘reject’ status.
The ACSC reported that due to this change, the DMARC protection enforcement of NSW Government domains has increased from 33% to 85%. This makes NSW the leading state on email security.
Cyber Security NSW delivered a presentation to local councils about this implementation and how to ensure future DMARC alignment to 114 participants, representing a large cross-section of local government.
This achievement is the culmination of five years of effort, including onboarding, verifying ownership, monitoring progress and collaboration. While work continues on the DMARC project to further protect NSW Government domains, it’s important to take a moment to recognise this significant milestone.
Proactive intelligence and immediate response
Over the year, Cyber Security NSW circulated 172 intelligence products and responded to more than 500 notifications to assist NSW Government departments, agencies, local councils and state-owned corporations in responding to threats and cyber incidents.
Cyber Security NSW offers a comprehensive threat intelligence product suite that provides analysis specific to the NSW Government from a wide variety of open and closed sources. These products inform government entities of specific threats or security issues of concern, enabling proactive mitigation and decisive action.
Raising cyber security awareness
In 2023, Cyber Security NSW delivered cyber security awareness training to 210,618 NSW Government staff through 207,761 e-module and 2,857 live training completions. As a result, staff received fundamental cyber security awareness in line with the curricula we developed in-house and were provided with useful resources such as cyber hygiene checklists, tips for detecting phishing and much more.
To strengthen cyber security culture across NSW Government, we developed communication toolkits for NSW Government agencies, including the Cyber Security Awareness Month Pack, Online Shopping and Scams Awareness Pack and Summer Cyber Awareness Pack.
The packs contained resources, events and links to a wealth of information from Cyber Security NSW, the ACSC and other state and federal government organisations.
This was bolstered by updated awareness materials, including 12 new cyber security posters and three cyber security guides tailored for senior leaders and general staff.
The packs, guides and posters enabled many organisations to promote cyber security awareness more broadly and easily without being resource intensive.
Fostering sector development
Cyber Security NSW continued to sponsor the pilot cyber traineeship of six trainees to participate in Training Services NSW’s IT traineeship program. The pilot program has been well-received by trainees and their supervisors in agencies alike, with Cyber Security NSW identifying opportunities to build on this success for future initiatives.
Cyber Security NSW organised the 2023 NSW Government Capture the Flag (CTF) competition in partnership with the Department of Communities and Justice and TahSec, the NSW Government’s competitive hacking team. The competition was the largest to date, with 319 participants across 132 teams who took part in the hybrid event. On-site challenges included a covert search warrant, wi-fi hacking, lock picking and find-the-device challenges, all designed to test and recognise the technical cyber security skills of government staff.
Cyber Security NSW increased collaboration with the Cyber Security Cooperative Research Centre (CSCRC) and other industry partners in 2023 to launch four additional research and development projects. The projects address important problems in areas of resilience, executive gamification, strategy formulation and improving the cyber posture of small to medium-sized enterprise.
Tailored services for departments, agencies and local councils
Cyber Security NSW continues to provide tailored assistance to entities where required. For example, we assisted the NSW Electoral Commission through state elections, with tailored education
and proactive threat intelligence in the lead up to the 2023 state elections, as well as increased intelligence coverage and monitoring on the weekend of the election.
In addition, we assisted the NSW Electoral Commission with an internal technical threat assessment of their network and provided increased website defacement monitoring throughout the 2023 election period to detect unauthorised changes to website and protect public trust in the election process.
Cyber Security NSW successfully trialled ‘CISO-as-a-service’ with Wagga Wagga City Council. The agency reviewed and prioritised cyber security strategy in three phases, starting with basic cyber hygiene and meeting Essential Eight requirement maturity level one. As a result of the prioritisation work, Cyber Security NSW was asked by the council’s executive team to help develop a cyber risk appetite statement. A workshop was conducted with the executive team on-site in Wagga Wagga, resulting in a draft cyber risk appetite statement, tolerance thresholds and reporting templates.
Greater availability of incident exercises
We expanded our offerings through the addition of our Build-an-Exercise service, which provided 20 requesting entities with scenarios, guidelines and reporting templates to enable them to conduct cyber incident response exercises independently.
This offering empowers entities to test their current plans and procedures, validate capabilities and inform the development or improvement of cyber arrangements and processes.
Adapting for artificial intelligence (AI)
As noted in the 2023 NSW Government Cyber Threat Report, malicious actors have quickly adopted the new AI technologies on the market, weaponising these tools to develop malware toolsets and craft more convincing phishing campaigns. Cyber Security NSW’s cyber security awareness training helps NSW Government staff learn how to spot phishing emails.
We are aware that NSW Government entities are also using generative AI. To this end, Cyber Security NSW released generative AI end-user guidance (PDF, 217.1 KB), which advises NSW Government staff on how to ensure responsible, safe and ethical AI use in the workplace. The guidance presents opportunities and risks associated with end-user use of public generative AI tools. This is supported by use cases, do/don’t lists and links to helpful resources.
Proactive security guidance
Last year, we developed and published the TikTok NSW Government guidance to accompany circular DCS-2023-01 issued on 6 April 2023 directing portfolios and agencies to prevent the installation and remove existing instances of the TikTok application on government-issued devices.
In March 2023, Cyber Security NSW also published security guidance on how to strengthen LastPass user accounts following the 2022 LastPass data breach. In developing the configuration recommendations, Cyber Security NSW met with the LastPass Global Chief Information Security Officer (CISO).
Vulnerability detection
Cyber Security NSW offers a wide range of security assessments, including passive and intrusive external scanning, internal vulnerability scanning and penetration testing. We also provide key website monitoring using a bespoke tool developed in-house, and cyber security health checks to review people, processes and technology through a technical lens to assess the maturity level against the ACSC Essential Eight.
As part of our security assessment services, in 2023 we proactively detected 33,587 external vulnerabilities, with 691 being of medium severity or higher, and provided remediation advice to NSW Government entities.
In addition to this, we provided 511 cyber security reports to NSW Government entities, including vulnerability disclosure reports, third-party risk assessments and dropped domain notification and penetration test reports.
Vulnerability identification
In 2023, Cyber Security NSW expanded the Health Check service to cover all eight strategies under the Essential Eight maturity model. This service provides a comprehensive view of the NSW Government entity’s cyber security risk footprint for the assessed areas, providing a roadmap to reducing cyber risk and increasing resilience.
We also expanded access to the continuous external vulnerability monitoring service, onboarding 60 local councils onto the platform. This service provides NSW Government entities with external network and attack surface monitoring capabilities.
This completed work correlates with Cyber Security NSW’s objective to proactively manage cyber security risks and threats.
Defensive domains
In 2023, Cyber Security NSW renewed and purchased 665 defensive .au second-level domains for a period of five years on behalf of NSW Government entities. This follows the Cyber Security NSW initiative in 2022 to register NSW Government .au second-level domains to mitigate the risk of malicious actors deceptively registering similar domain names to impersonate NSW Government entities.
Reporting and metrics
Our Cyber Portal – a highly customisable information collection and collation reporting tool that enables deeper data analysis of cyber security metrics – has now been rolled out to all NSW Government agencies that submit reporting against the NSW Cyber Security Policy and is being extended to local councils, with some already onboarded.
Cyber Security NSW continues to enhance its functionality based on the changing needs of cyber security and provide ongoing quality-of-life updates. Along with various other functions, such as file sharing and incident reporting, the Cyber Portal will become the central customer-facing interface to Cyber Security NSW.
ICT Digital Assurance Framework (IDAF) Gateway Reviews
Cyber Security NSW has been involved in the Department of Customer Service (DCS) IDAF process since 2021. Last year alone, Cyber Security NSW staff participated as independent cyber security subject matter expert reviewers in four Gateway Reviews. In addition to this, we assessed the cyber risk scores of 30 ICT and Digital Project Registrations.
In 2023, we started providing advice on assurance and prioritisation of NSW Government cyber security budget bids referred by NSW Treasury. Cyber Security NSW also developed an assurance framework to enable consistency across budget bids.
What’s next?
On top of continuing to expand its provision of both all-of-government and entity-specific cyber security initiatives and services, Cyber Security NSW has several key projects underway to support a cyber-secure NSW Government.
For instance, Cyber Security NSW will continue to develop its budget assurance function to better enable it to advise on assurance and prioritisation of NSW Government cyber security budget bids and develop a potential all-of-government approach to drive consistency in cyber security funding requests.
Planning is underway for roundtables that will bring cyber security experts and leaders from the public, private and academic sectors together to discuss and develop potential solutions to common challenges. These will focus on the themes of building community awareness, the nexus between security and privacy and uplifting cyber security across the local government sector.
This year, we will also update the NSW Cyber Security Strategy to have a greater focus on government resiliency.
Please contact info@cyber.nsw.gov.au if you would like to find out more about what we do and how we can assist you.