The NSW Auditor-General’s Cyber Security Insights 2025 report presents a sobering snapshot of cyber resilience across government agencies, revealing systemic weaknesses that put sensitive data and public trust at risk. But its lessons extend far beyond the public sector — they resonate strongly with private enterprises grappling with an ever-evolving cyber threat landscape.
Key Findings Highlight Persistent Gaps
Despite the increasing awareness and resources devoted to cyber security, the report finds that a majority of NSW government agencies fall short of implementing fundamental controls. For example:
Sixty-nine per cent of mandatory 'Protect' controls required by the NSW Cyber Security Policy remain partially or not implemented across agencies.
In FY2024, agencies reported 152 residual cyber risks assessed as significant, high, or extreme — risks that remain unmitigated and expose systems to potential breaches.
More than half (59%) of agencies lacked independent assurance of their self-assessed compliance, raising questions about the accuracy and effectiveness of their risk management.
These statistics underscore a critical truth:
Possessing cyber security policies and frameworks alone is insufficient. Without rigorous implementation, continuous validation, cyber security training and mature governance, organisations remain vulnerable.
Cultural and Governance Challenges Undermine Security
Beyond technical controls, the report highlights enduring challenges with culture, governance, and third-party risk management:
Many agencies struggle with unclear roles and responsibilities, which can dilute accountability for cyber security outcomes.
Asset management gaps mean that organisations lack comprehensive visibility over the systems and data that need protection.
Third-party risk remains poorly managed, leaving agencies exposed through suppliers and contractors who may not meet adequate security standards.
These NSW cyber security challenges illustrate the importance of embedding cyber security into the organisational fabric — where leadership, culture, and operational practices align to support effective risk mitigation.
Why These Insights Matter to the Private Sector
Private sector organisations face parallel risks, often magnified by the complexity of global supply chains, regulatory expectations, and increasingly sophisticated attackers. The findings from NSW’s public sector reflect challenges many businesses encounter:
Overreliance on self-assessment without independent validation creates blind spots that cybercriminals can exploit, leaving organisations vulnerable to attacks.
Legacy systems and underinvestment in security controls increase susceptibility to breaches and ransomware.
A disconnect between cyber security teams and executive leadership can hinder timely risk prioritisation and response.
Third-party and supply chain risks are often underestimated or inadequately managed, despite being a primary vector in high-profile incidents.
Moving From Compliance to Resilience
The report signals that to truly improve cyber readiness, organisations must shift from a compliance mindset to one focused on resilience. This change requires:
Clear governance structures that define ownership and accountability at all levels.
Regular independent assurance and audits to validate risk posture beyond self-reporting.
Investing in culture and capability-building, so that every employee understands their role in cyber security.
Robust third-party risk management programs that actively monitor and mitigate supplier vulnerabilities.
The NSW Government’s commitment of $90 million over four years to bolster cyber security is encouraging, but without cultural and governance reforms, investments risk falling short.
Establish Genuine Resilience with Authorised Cyber Security Training
Cyber Security Insights 2025 is a wake-up call — for governments and private businesses alike. Cyber security is no longer just an IT issue; it’s an enterprise risk that demands leadership attention, strategic investment, and a culture that values security as a business enabler.
As cyber threats evolve in scale and sophistication, building genuine cyber resilience depends on integrating people, processes, and technology — and never underestimating the power of culture and governance to bridge the gap between policy and practice.
Lumify Group has been named "Cyber security Training Business of the Year" at the 2025 Australian Cyber Awards This recognition validates our commitment to providing professionals with the right skills today to secure tomorrow.
Cyber Threats aren't slowing down and will continue to plague the private and public sectors. Without the right people with the skills, how secure are you?
Contact our team to get started or explore cyber security training courses and pathways by downloading our brochure.
