Australian Government Organizations Struggling to Keep Pace With Changes in Cyber Security
In 2024, more Australian government organizations failed to attain the necessary levels of cyber security advancement compared to the previous year, as per an evaluation conducted by the Australian Signals Directorate.
According to the ASD assessment, only 15% of entities reached Maturity Level 2 on Australia’s Essential Eight framework in 2024, which is a significant drop from the 25% reported in 2023.
As per Australia’s Protective Security Policy Framework, organizations were mandated to implement all Essential Eight mitigation strategies to achieve at least Maturity Level 2 by July 1, 2022. Some entities were also advised to assess if their security landscape justified meeting the higher Maturity Level 3 as well.
EXPLORE: Private sector tech expenditure in Australia to shift towards cybersecurity in 2025
Despite these directives, the ASD pointed out that the 2024 outcomes emphasize that the adherence to Level 2 standards “remains inadequate” among organizations.
Decline in Cyber Security Efforts by Government Agencies
Australia’s Essential Eight guideline outlines eight risk mitigation strategies to assist organizations in minimizing their exposure to security breaches and lessening the impacts of any incidents that may transpire.
These strategies encompass:
- Updating applications.
- Updating operating systems.
- Implementing multi-factor authentication.
- Limiting administrative privileges.
- Monitoring application usage.
- Controlling Microsoft Office macros.
- Enhancing user application security.
- Regularly backing up data.
The guideline also delineates the characteristics of four levels of advancement, spanning from 0 to 3. To move to a higher maturity level, organizations need to meet the specified level across all eight strategies.
EXPLORE: Australia enacts pioneering cyber security legislation
Sectors where agencies have the poorest compliance with the Essential Eight
The risk mitigation strategies with the lowest adherence to Maturity Level 2 were:
Government agencies in Australia exhibited stronger adherence to Maturity Level 2 for the following strategies:
- Controlling Microsoft Office macros (68%).
- Regular data backups (59%).
- Updating operating systems (51%).
Possible Impact of a 2023 Update
The ASD proposed that certain enhancements to the Essential Eight model in November 2023 might have had a bearing on the outcomes.
to organizations rating their advancement levels lower in 2024.
According to the ASD, modifications to the Essential Eight Maturity Model would cause entities that had not yet integrated new mandates to experience a decline in their advancement level compared to 2023.
For example, previously, 54% of organizations claimed they were at Advancement Level 2 for Multi-Factor Authentication. The introduction of new prerequisites for phishing-resistant MFA led to a decrease in this figure to 23%.
VIEW: Are Australia’s public sector organizations prepared for a cyber attack?
Nevertheless, these updates were necessary to address cybersecurity risks based on the evolving tactics utilized by malicious agents, necessitating guidance that matches the level of threat, as mentioned by the ASD.
Organizations failing to keep up with Essential Eight enhancements will essentially be at a higher risk of being compromised by malicious actors and facing more severe consequences if a breach occurs.
Legacy IT also contributing to cybersecurity shortcomings
There were specific areas of apprehension for the ASD, such as the volume of incident notifications it received.
- The percentage of entities reporting security incidents to the ASD remained low, with only 32% reporting at least half of the identified incidents on their networks in 2024.
- The ASD also noted that the proportion of entities employing effective email encryption dropped from 43% to 35% according to assessments carried out to evaluate enhancements in cyber hygiene.
However, reliance on outdated systems significantly hindered many organizations’ ability to implement the Essential Eight. In 2024, 71% of entities indicated that the use of legacy technologies had hindered their efforts to implement the Essential Eight — an increase from 52% in 2023.
Organizations identified that the primary reasons for persisting with legacy IT were:
- Failure to prioritize upgrades (25%).
- Inadequate dedicated funding (24%).
- Lack of a suitable replacement (16%).
- Time constraints in dismantling systems (16%).
In its report, the ASD highlighted the ongoing issue of legacy IT within public sector organizations, posing substantial and enduring risks to the cybersecurity readiness of Australian government entities.
The ASD stated that legacy IT is more susceptible to cyber assaults as vendors do not provide security updates or limit security services.
“Malevolent actors may exploit legacy IT to infiltrate more contemporary systems within IT environments,” as mentioned by the ASD.
Agencies are making some positive strides, according to the ASD
The ASD highlighted that cybersecurity readiness within Australian government agency operations was well-established in certain areas, but improvements were warranted in others. It particularly acknowledged the establishment of corporate governance mechanisms to comprehend security risks and prepare for cyber hazards.
The report revealed that most entities had prepared for a potential cybersecurity incident and were equipped to respond:
- In 2024, 75% of entities had a cybersecurity strategy, an increase from 735 in 2023.
- 86% of entities had addressed cybersecurity disruptions in their business continuity and disaster recovery planning, up from 83% in 2023.
- 86% of entities possessed an incident response plan, an increase from 82% in 2023.
ASD urges public sector to enhance security maturity
The ASD advised that organizations should continue embedding the enhanced Essential Eight mitigation approaches across their networks to reach at least Maturity Level 2, in line with current mandates.
Moreover, it recommended that public sector organizations in Australia enhance their reporting of cybersecurity incidents, share cyber threat information with the ASD, implement strategies for managing legacy IT presently and in the future, and uphold an incident response plan, conducting exercises at least once every two years.
About Author
