https://www.aph.gov.au/Parliamentary_Business/Tabled_Documents/14601
Most Australian government entities are failing to adequately report cyber security incidents to the Australian Signals Directorate (ASD), according to the latest Commonwealth cyber security posture report. During the 2024-25 financial year, only 35 percent of federal agencies reported at least half of their observed cyber incidents to ASD, a slight increase from 32 percent the previous year. This persistent underreporting creates significant visibility gaps that hinder ASD’s ability to maintain comprehensive threat intelligence and issue timely mitigation advice, leaving critical infrastructure more vulnerable to state-sponsored cyber threats.
The report highlights that while ASD responded to 408 cyber incidents from government bodies—comprising a third of all events handled nationally—many entities still struggle with legacy IT systems, with 59 percent citing outdated infrastructure and insufficient funding as major obstacles to implementing key security controls. Although there has been progress in adopting ASD’s Essential Eight mitigation strategies, only 22 percent of agencies have reached the mandated Maturity Level 2, which requires robust measures such as multi-factor authentication and application controls. In addition, while many agencies have formal cyber security strategies and improved business continuity plans, the decline in supply chain risk assessments reveals ongoing vulnerabilities.
To address these challenges, ASD urges government organisations to enhance incident reporting and logging capabilities, manage legacy IT more effectively, and prepare for future threats posed by post-quantum cryptography.