Digital government agency Service NSW ignored the risks that led to a “serious” cyber security attack and the theft of over 100,000 individuals’ personal information, a parliamentary committee has concluded as a formal investigation into the breach excoriated the agency’s slow and inadequate response.

A months-long investigation concluded that the “shocking incident was enabled by practices and systems within Service NSW that did not accord with best practice cyber security measures,” committee chair the Hon Tara Moriarty MLC noted as the findings were handed down.

“Compounding this incident, Service NSW was aware of the risks that led to the attack some 12 months earlier but had not acted sufficiently to address them.”

State cyber security agency Cyber Security NSW admitted in January that the “NSW Government’s maturity is low” when it comes to cyber security, arguing that a slew of security-related activities were helping to “adapt to the evolving cyber security threat landscape and focus on building the right foundations now.”

Noting that increasingly digital government services meant “the amount of data being stored, accessed and shared online is at an all-time high,” Moriarty said, the state government “needs to be doing more in the cyber security space to protect citizens and their personal information.”

“Proactive, robust and resilient cyber security measures are critical now more than ever.... Failing to get cyber security right not only puts citizens at risk, but it undermines trust in government and negatively impacts the state’s economy and business community.”

The breach of Service NSW systems last April saw 47 staff email accounts hacked, allowing cybercriminals to access five million internal documents.

Despite the creation of a ‘hypercare team’ last September to speed the government’s management of the breach, as of February, at least 20,000 people were still unware their personal data had been compromised.

Calling for a “holistic approach to cyber security practices across NSW”, the committee’s recommendations include strengthening the NSW Government Cyber Security policy, enhancing the “role and mandate” of Cyber Security NSW, and improving cyber security education for public officials and cyber security professionals.

The committee also recommended changes including mandating the currently-voluntary notification of data breaches, improvements to sovereign cyber security capability and “clearer requirements” for government cyber security standards.

Such standards are already in the works, with a Standards Australia taskforce last year partnering with AustCyber and the NSW Government to develop consistent cyber security standards for Australian industries.

A rising tide lifts all boats

The damning findings come amidst growing scrutiny on government cyber security, particularly in the wake of an apparent “clumsy” attack on Parliamentary email systems over the weekend and reports that Services Australia – the federal government body modelled on Service NSW – referred 20 security incidents to the Australian Cyber Security Centre (ACSC) during 2019 alone.

Despite these compromises, last week the Australian Electoral Commissioner said the agency would not welcome an audit of its “incredibly robust” systems.

Yet new research, conducted by Tech Research Asia for security firm Sophos, suggests that the systemic deficiencies identified in the Service NSW review reflect a broader immaturity in cyber security.

Perhaps unsurprisingly given that just 18 per cent of respondents classified themselves as having an ‘optimised” cyber security maturity level, some 52 per cent of Australian organisations reported suffering a data breach last year – up from 36 per cent in 2019.

Some 69 per cent of companies rating their loss of data as serious or “very serious” – yet despite this surging cyber security threat, respondents said their biggest problem was executives’ perception that cyber security is easy, and that the threats facing organisations are exaggerated.

Given that 68 per cent of respondents said their data breaches had taken longer than a week to resolve, this “disturbing” perception “needs to be tackled head on,” Sophos global solutions engineer Aaron Bugal said, calling it “confounding” that such complacency could continue despite the growing list of high-profile cyber-criminal attacks this year.

“If that wasn’t enough, the more recent zero-day vulnerabilities in widely deployed email platforms demonstrates the desperate need for unification when it comes to cyber resilience,” he said.

“Everybody needs to play a part – and to play a part, we all need to understand the risk.”