The Queensland Auditor-General has today tabled a report that examines how effectively public sector entities manage third-party cyber security risks.
The Managing third-party cyber security risks (Report 13: 2025–26), tabled in Parliament today, outlines the audits of one state government department, one statutory body, and one local government entity.
Entities are increasingly using third parties, such as IT vendors, accounting firms, marketing businesses, and consultants, to deliver products or services, the Audit Office said in a statement.
“The use of third parties enables operational efficiency and digital innovation, but also introduces cyber security risks. Entities that do not manage these risks effectively may experience a cyber attack through a third-party, leading to a loss of privacy, financial cost, reputational damage, and other ramifications,” the Office stated.
“We have not publicly named these entities to protect their information environments. In our report, we also assess how effectively the Department of Customer Services, Open Data and Small and Family Business (CDSB) and the Department of Housing and Public Works (DHPW) lead and build capability to manage third-party cyber security risks across the public sector.”
The Office found that the three entities had not adequately identified and assessed their third-party cyber security risks, and as such, did not know how vulnerable they were.
“While the entities had implemented IT security controls providing some protection, they were not effective for preventing a third-party cyber breach. We were able to bypass their controls, gain access to their corporate systems, and extract sensitive information.”
“We also found that CDSB and DHPW need to strengthen how they build capability for managing third-party cyber security risks across the public sector. This includes ensuring entities are aware of, and using, available better practice guidance.”
The Audit Office made seven recommendations to all public sector entities, drawn from the learnings of this audit.
“We also provide a better practice checklist of key questions for all entities to consider when planning how they manage third-party cyber security risks,” the Auditor-General stated.
Read the report: www.qao.qld.gov.au/reports-resources/reports-parliament/managing-third-party-cyber-security-risks, including a 2-page summary.
View the better practice guide:www.qao.qld.gov.au/reports-resources/better-practice/checklist-managing-third-party-cyber-security-risks.
