NSW Government agencies are struggling to meet basic cyber security requirements, with only 31% of mandatory protection controls being implemented across the sector, according to a report released by the state's Auditor-General.

The Cyber Security Insights 2025 report reveals that while cyber threats are escalating rapidly – with incidents involving third-party systems nearly tripling in the past year – most state agencies remain inadequately prepared to defend against attacks.

The audit found that agencies performed worst in the "Protect" domain, which includes essential safeguards like regular software updates, multi-factor authentication, and network security controls designed to prevent cyber attacks.

"The absence of 'protect' domain controls increases the likelihood of a successful cyber attack," the report warns, noting that many agencies still report zero maturity for critical protections despite years of focus on cyber security improvements.

Budget constraints and ongoing cyber security upgrade programs were cited as the primary reasons agencies couldn't meet minimum requirements.

The findings come as Cyber Security NSW reports a near-tripling of incidents involving systems owned or managed by third parties, including increased data breaches. However, the audit revealed a concerning blind spot: when cyber security controls are managed by external providers, compliance is not being reported to authorities.

"Agencies and Cyber Security NSW may not be aware of any non-compliance against the Cyber Security Policy where the cyber security control practice is provided by third parties," the report states.

Of the 66 agencies that reported their cyber security status in 2024, 27 disclosed a total of 152 significant, high, and extreme cyber security risks. Alarmingly, 28 of these risks had treatment controls that were either "largely ineffective" or "totally ineffective."

The report also highlighted concerning gaps in oversight, with 59% of agencies lacking independent assurance over their cyber security assessments – raising questions about the accuracy of their self-reported compliance.

Another significant concern identified was the shift toward aggregated reporting, where 66 reports now represent 177 agencies, compared to 110 individual reports in 2023. This consolidation potentially obscures cyber security weaknesses at individual agencies within larger portfolios.

Essential Eight Implementation Lags

Despite years of emphasis on the Australian Cyber Security Centre's Essential Eight mitigation strategies, many agencies continue to fall short. Some reported zero maturity for critical controls including application management, system patching, and administrative privilege restrictions.

While cyber security awareness training has improved, with 96% of state agencies now conducting phishing simulations, the local government sector lags behind with 45% of councils failing to test staff responses to simulated attacks.

The report notes that cultural factors and competing business priorities often drive non-compliance with security protocols, with staff sometimes bypassing procedures during emergencies or time-sensitive work.

The audit examined seven years of cyber security reports across state agencies, universities, and local councils, revealing inconsistent progress. While universities have achieved 100% implementation of cyber security policies, only 74% of councils have established such policies.

Auditor-General Bola Oyetunji emphasized the need for improved independent oversight of agency cyber security assessments, noting previous recommendations for stronger assurance processes that remain partially implemented.

The full Cyber Security Insights 2025 report is available here.