Basics baffling govt agencies after ‘cyber slumber’

Joseph Brookes
Senior Reporter

Nearly 90 per cent of Australian government entities still aren’t implementing basic cyber resilience protections despite a growing risk, an annual assessment of Commonwealth cyber posture released on Friday has confirmed.

While adoption of basics like the Essential Eight is improving, the vast majority of entities aren’t at minimum maturity levels and most entities aren’t utilising assistance from cyber agencies.

Cybersecurity minister Clare O’Neil blamed the results on the previous Coalition government’s “cyber slumber” and pledged better protections through the new cybersecurity strategy now under development.

Minister for Home Affairs and Cyber Security Clare O’Neil. Photo: AAP/Lukas Coch

The Commonwealth Cyber Security Posture report covering the period of January 2021 to June 2022 was released on Friday.

In its third year, the report again showed the vast majority of entities have not implemented all the Essential Eight — a set of mitigation strategies to help organisations reduce their likelihood of experiencing a cyber security incident, and the impact of the incident if they do.

Just 11 per cent of entities are at the minimum required maturity level of implementing the strategies, which include basics like multi-factor authentication, backups and patching and controlling applications. The self-reporting figure improves to 19 per cent when compensating controls to mitigate implementation gaps are included.

There were gradual improvements overall for Essential Eight implementation, with the biggest coming in government entities getting better at backing up and patching and controlling applications. User application hardening and restricting administrative privileges to a mature level were implemented by the lowest proportion of entities.

Use of security protocols like email security and encryption also improved but “the proportion of Commonwealth domains in which these cyber hygiene measures have not been effectively implemented
remains high”.

The levels of incident preparedness and reporting remained similar to previous years, but the number of entities that had exercised their Incident Response Plan every two years, and the number of entities reporting incidents to the Australian Cyber Security Centre was “relatively low”.

Entities’ engagement with the Australian Signals Directorate’s cyber defence services was also low to moderate.

Cybersecurity minister Clare O’Neil blamed the previous government’s inaction for the widespread misses on meeting minimum cyber security requirements.

“When it comes to cyber security, the Morrison government failed to protect our country. These are the consequences of almost a decade of cyber slumber,” she told

“The former government has left us in a massive hole. They basically did bugger all about government cyber security, and fixing this huge problem for the country is going to take us some time.”

Last week, Ms O’Neil laid out an ambitious plan to make Australia the world’s most cyber-secure country by 2030”, including more attention on hardening government systems.

A new national strategy will replace the Coalition government’s 2020 cybersecurity strategy, which has been criticised for poor monitoring and implementation.

Former Telstra chief executive Andy Penn, who worked on the 2020 strategy and will assist with the new one, has said the government needs to do more to act as a role model when asking industry to improve its cyber defences.

Ms O’Neil said the new plan will take a more holistic approach to combat a worsening environment.

“The cyber threat environment is constantly evolving. We must continue to develop and improve our approach to safeguard Australia’s security and prosperity, and ensure Australia is the safest place to connect online.,” she said.

“The government’s new Cyber Strategy will build whole-of-nation resilience against these types of attacks and ensure our networks and devices are protected against malicious actors.”

The latest Commonwealth Posture report is in line with closer inspections of cyber resilience by the Auditor General, who repeatedly found government entities are not meeting their own minimum cybersecurity standards

Do you know more? Contact James Riley via Email.

1 Comment
  1. Digital Koolaid 1 year ago

    Thanks Joe. Did Clare say what’s the “growing risk”? Haven’t seen it. Monsters under the bed again?

Leave a Comment

Related stories