Victorian government agencies are “not adequately prepared to prevent cyber-attacks”, the state’s auditor-general has warned, with more than 600,000 public servants yet to begin using multi-factor authentication for network access.
Coordination at a whole-of-government level is also lacking despite a recent cybersecurity plan, resulting in a duplication of effort by individual agencies at a time when cybersecurity threats are growing year-on-year.
In the audit examining the effectiveness of Microsoft 365 cloud-based identity and device management controls, the Victorian Auditor-General’s Office found multi-factor authentication (MFA) to be lacking at all eight audited agencies.
The audit, released on Wednesday, said that strong identity and device controls help to ensure that only verified users and devices can access government systems and that without them, agencies are “more at risk of cyber-attacks”.
In 2022 alone, 90 per cent of Victorian government agencies reported to the Department of Premier and Cabinet as having experienced a cybersecurity incident, though the report does not specify the seriousness of the incidents.
“Agencies are not adequately prepared to prevent cyber-attacks. This is because they have not correctly configured all of their Microsoft 365 cloud-based identity and device controls,” the report said.
Of the eight agencies audited, only four required MFA for all users, leaving around 617,000 user accounts – or 94 per cent – without MFA. One agency had not set up MFA for almost half its Microsoft 365 users because the user group experiences “significant difficulties with MFA”.
The lack of MFA was a key contributing factor in the 2020 Service NSW phishing attack that claimed the personal information of around 103,000 customers.
In terms of device controls, only half of the audited agencies have defined compliance policies for any of their devices. None of the agencies “have controls to block users with non-compliant devices from accessing their network”.
The audit also found that while six of the agencies recorded a ‘Microsoft Secure Score’ of more than 75 per cent, which is recommended by Digital Victoria, this “may not accurately reflect agencies’ true security posture” if they are also using third-party solutions or alternative mitigation methods.
At a whole-of-government level, only 40 of 150 agencies who agreed to share data with Digital Victoria did so, as the unit has “no legal authority to issue mandatory guidance and request information”.
It means Digital Victoria has limited visibility and cannot identify systemic issues, which may affect its ability to deliver the whole-of-government cyber operating model announced earlier this year, the audit said.
The lack of centralised security operations centres for agencies to use is also duplicating efforts because “individual entities need to deliver this function independently”, the audit said, noting that the government funded a Cyber Defence Centre in this year’s state Budget.
“The Victorian public sector has over 3,000 entities that deliver services to the public. Without a coordinated approach, many agencies are duplicating their efforts and not using the public sector’s economy of scale to efficiently management cybersecurity risks,” the report said.
In response to the audit, the Department of Government Services said a “new, non-overlapping cybersecurity guidance” would be developed over the next 12 months to address the issues identified in the audit.
The state government set aside $34.7 million for a cybersecurity reform package in this year’s Budget, following a mission delivery plan that also foreshadowed the creation of a Victoria Public Sector (VPS) Cyber Hubs Model.
But in its response, the Government Services department said that while the funding would go toward the creation of a new Cyber Defence Centre, the “Cyber Hubs Program is not currently funded”.
Liberal MP David Davis said the findings are a “wake-up call” and urged Government Services minister Danny Pearson to “pay heed” to the recommendations that have been agreed to by his department.
“The list of agencies audited is significant. The variety of agencies is significant. The advice is thoughtful and balanced. It is leading-edge advice,” Mr Davis told state Parliament on Wednesday afternoon.
Do you know more? Contact James Riley via Email.