Australian Government Agencies Failing to Keep Up With Cyber Security Change

More Australian government agencies failed to meet the required levels of cyber security maturity in 2024 than in 2023, according to an assessment by the Australian Signals Directorate.

The ASD reported that only 15% of entities achieved Maturity Level 2 on Australia’s Essential Eight cyber security framework in 2024 — a sharp decline from 25% in 2023.

Under Australia’s Protective Security Policy Framework, agencies were required to implement all Essential Eight mitigation strategies to meet at least Maturity Level 2 by July 1, 2022. Some entities were also advised to consider whether their security environment warranted achieving the higher Maturity Level 3.

SEE: Private sector tech investment to be led by cybersecurity in Australia in 2025

Despite these requirements, the ASD noted that the 2024 results highlight that achieving Level 2 compliance “remains low” among agencies.

Government agencies going backward on cyber security mitigation

Australia’s Essential Eight framework outlines eight mitigation strategies to help entities reduce their vulnerability to security incidents and the impact of incidents if they do occur.

These measures include:

• Patch applications.
• Patch operating systems.
• Multi-factor authentication.
• Restrict administrative privileges.
• Application control.
• Restrict Microsoft Office macros.
• User application hardening.
• Regular backups.

The framework also describes four maturity levels’ characteristics, ranging from 0 to 3. Entities must meet a maturity level across all eight strategies to claim they have reached a higher maturity level.

SEE: Australia passes groundbreaking cyber security law

Where agencies are performing worst against the Essential Eight

The mitigation strategies where the lowest proportion of agencies reached Maturity Level 2 were:

Australian government agencies fared best against Maturity Level 2 for the following strategies:

• Restrict Microsoft Office macros (68%).
• Regular backups (59%).
• Patch operating systems (51%).

A 2023 update may have impacted results

The ASD suggested that several upgrades to the Essential Eight model in November 2023 may have contributed to agencies rating their maturity levels lower in 2024.

“Changes to the Essential Eight Maturity Model mean entities which had not yet implemented new requirements would record a reduction in maturity level compared to 2023,” the ASD said in the report.

For instance, 54% of agencies previously reported they were at Maturity Level 2 for Multi-Factor Authentication. New requirements for phishing-resistant MFA pushed the proportion down to 23%.

SEE: Are Australia’s public sector agencies ready for a cyber attack?

However, these updates were to “address cyber security threats informed by the evolution of tradecraft used by malicious actors,” which required advice “commensurate with the threat,” the ASD said.

Agencies not keeping up with Essential Eight upgrades will essentially be exposed to an increased risk of compromise by malicious actors and suffer greater impact if a compromise does occur.

Legacy IT also playing role in cyber security deficiency

There were some areas of concern for the ASD, including the volume of incident reports it received.

• The percentage of entities reporting security incidents to the ASD remained low, with just 32% reporting at least half of the observed incidents on their networks in 2024.
• The ASD also said the proportion of entities applying effective email encryption decreased from 43% to 35%, according to scans conducted to assess cyber hygiene improvement.

However, the use of legacy systems greatly contributed to many agencies’ ability to implement the Essential Eight. In 2024, 71% of entities indicated that using legacy technologies had impacted their ability to implement the Essential Eight — an increase from 52% of entities in 2023.

Entities reported the most significant reason for still using legacy IT was:

• Lack of prioritisation of upgrades (25%).
• Insufficient dedicated funding (24%).
• Lack of a viable replacement (16%).
• Time to decommission systems (16%).

In the report, the ASD said the ongoing problem with legacy IT in public sector agencies presented “significant and enduring risks to the cyber security posture of Australian Government entities.”

“Legacy IT is more vulnerable to cyber attacks as vendors do not support the development of security updates, or limit security services,” the ASD said.

“Malicious actors may be able to compromise legacy IT and use it to gain access to more modern systems in IT environments.”

Agencies are doing some things right, says the ASD

The ASD said Australian government agency cyber security postures were “well-established in some areas, and required improvement in others.” It singled out the establishment of corporate governance mechanisms to understand security risks and prepare for cyber threats as a positive area.

The report found that most had planned for a cyber security incident and were ready to respond:

• In 2024, 75% of entities had a cyber security strategy, an increase from 735 in 2023.
• 86% of entities addressed cyber security disruptions in their business continuity and disaster recovery planning, an increase from 83% in 2023.
• 86% of entities had an incident response plan, an increase from 82% in 2023.

ASD calls for public sector to improve security maturity

The ASD concluded that agencies should continue to implement the upgraded Essential Eight mitigation strategies across their networks to at least Maturity Level 2, in line with current requirements.

It also recommended that Australia’s public sector agencies increase cyber security incident reporting and share cyber threat information with ASD, implement strategies for managing legacy IT now and into the future, and maintain an incident response plan and exercise it at least every 2 years.