Less than 8 per cent of Transport for NSW staff and 5 per cent of Sydney Trains staff had completed a cyber security training course as of January 2021. However, TfNSW has advised that it will implement mandatory annual training from July 2021 for all staff.
Transport for NSW in February confirmed it had lost some information during a cyber attack on a file transfer system Accellion, which is used by organisations and governments across the world.
The report recommended both agencies urgently address vulnerabilities identified by the audit, and increase the uptake of cyber security training.
It also recommended risks be adequately reported to executives as well and cyber security awareness training be made mandatory for all TfNSW and Sydney Trains staff.
The report found while Sydney Trains was found to have conducted assessments for its “high-risk contractors,” Transport for NSW had not.
“As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management,” the report said.
Neither agency has reached its Cyber Security Policy target levels, which are set out by the Department of Customer Service.
In a letter to the Auditor-General, Department of Customer Service secretary Emma Hogan said her agency was working to “reduce ambiguity” in its Cyber Security Policy by making it more clearly worded.
Transport for NSW secretary Rob Sharpe told the Auditor-General the agency had invested tens of millions of dollars into cyber security over coming years. He added that TfNSW was committed to further improve cyber security.
NSW Opposition customer service and digital spokeswoman Yasmin Catley said the report was extremely concerning.
“The minister must explain why despite numerous reports now from the Auditor-General and an Upper House inquiry into cyber security, the government have failed to address significant weaknesses that exist in their cyber security controls,” Ms Catley said.
The Morning Edition newsletter is our guide to the day’s most important and interesting stories, analysis and insights. Sign up here.