Logo Light CIBIS International

NSW Cyber Security Audit Highlights Growing Risks — and Rising Compliance Costs

Cyber security remains one of the most pressing challenges facing the digital economy, and with the rise of AI-powered threats, the stakes have never been higher.

In a clear sign that the issue is front-of-mind for government, the NSW Auditor-General has released a new report following its review of cyber security practices across NSW government departments and agencies, including local councils. The findings, while unsurprising, reveal significant shortfalls in compliance — from governance and risk management to staff training and technical controls.

As a trusted technology partner to multiple local councils and government entities, CIBIS has a front-row view of the real-world challenges agencies face. Weak passwords, limited multi-factor authentication, poor control over third-party access, and insufficiently secured integration APIs are just some of the vulnerabilities still present in many environments.

“We work closely with our clients to improve their cyber security posture,” said Tony Heitmeyer, General Manager of CIBIS. “But the reality is that compliance isn’t cheap. The Auditor-General’s report rightly notes that budget constraints are the number one reason for delays in meeting security benchmarks.”

The report — Cyber Security Insights 2025 — also raises a red flag on third-party risk, revealing a near-tripling of incidents involving systems owned or managed by external vendors. “Entities retain accountability even when outsourcing,” the report warns. “And third-party cyber risk management remains a significant challenge.”

CIBIS has long invested in robust cyber security practices and is proud to maintain ISO/IEC 27001 certification — a globally recognised framework for information security. “Achieving ISO 27001 was a significant investment, both financially and operationally,” said the Heitmeyer. “But cyber security is non-negotiable — our clients expect us to meet or exceed the standards they’re held to.”

In addition to ISO27001, CIBIS continues to align with other frameworks such as the Australian Cyber Security Centre's Essential Eight and PCI-DSS, depending on client needs. This often includes completing in-depth assessments such as UpGuard questionnaires and supplying detailed documentation of internal systems and processes.

“With increased scrutiny comes increased responsibility — and cost,” Heitmeyer said. “That’s why we’ve had to review our pricing structure to reflect the real-world investment required to maintain a strong cyber security posture.”

CIBIS believes that a proactive approach to cyber security isn’t just a competitive advantage — it’s a responsibility to clients, users, and the wider community.

Looking for a reliable software development partner?

Find out how we can help you

Let’s talk