(Image: Audit Office of NSW)

For those with an interest in information security, who would like a sobering read to take the edge off the holiday cheer, the Report on Internal Controls and Governance 2017 from the Audit Office of New South Wales fits the bill.

Released prior to Christmas, the report details the extent to which NSW government agencies are struggling to fulfil the basics of security, which is even more concerning given the agencies commonly handle personal citizen data.

“Most agencies do not sufficiently monitor or restrict privileged access to their systems and some do not enforce password controls,” the report states.

The audit office found 68 percent of agencies did not “adequately manage” who has access to systems.

“We found that one agency had 37 privileged user accounts, including 33 that were dormant,” the office said. “The agency had no formal process to create, modify or deactivate privileged users.”

During the year, the office said the NSW government agencies it looked at experienced 8,503 cyber attacks, a significant absolute increase on the 1,558 attacks reported last year and 603 attacks a year prior. However, there are a pair of caveats: Two agencies reported 7000-odd attacks between them; and there is no common definition of “cyber attack” within the agencies.

“The extent of the cyber security threat is unknown because agencies define a ‘cyber attack’ differently,” the report said.

“As there are different…