Months before it moves to the heart of a new Home Affairs super-portfolio, the Immigration Department is failing to meet federal government cyber security standards and officials can't say when it will comply.
The security concerns were highlighted by a parliamentary committee report released on Wednesday, with MPs saying they remain "most concerned" Immigration and the Tax Office don't comply with mandatory 'top four' threat mitigation strategies, meaning their systems are not cyber resilient.
The Australian Signals Directorate intelligence agency says full implementation of the strategies would prevent as much as 85 per cent of targeted cyber intrusions, but in 2015-16 only 65 per cent of non-corporate Commonwealth entities said they complied.
The ATO said it expects to be fully compliant by next month, but was slowed due a major outage of its online networks in December.
Immigration said it could not provide a date for when full compliance would be achieved.
The department, which includes the Australian Border Force, has previously said it would meet the standards by the end of 2016.
It will move to the Home Affairs portfolio from next year, alongside ASIO, the Australian Federal Police, Austrac and the Australian Criminal Intelligence Commission.
A new department will be led by secretary Michael Pezzullo.
An update to the strategies to create the so-called 'essential eight' governments standards came in response to increasing ransomware threats and will see new work for departments and agencies.
Prime Minister Malcolm Turnbull's special adviser on cyber security Alastair MacGibbon has warned departments not to be "lulled into a false sense of security" against new attacks.
The committee was told it is likely Australian organisations were saved from the global WannaCry virus attack in May due to circumstances of timing, rather than by good cyber security preparations.
As most Australian organisations were not online when the attack started overnight, patching, anti-virus software updates and backing up of data could be completed before users logged in.
"The committee notes that significant machinery of government changes - with the creation of Australian Border Force - contributed to the delay in achieving compliance, however considers that compliance may have been achieved sooner if investment in these programs were made earlier," the committee said of Immigration.
"It is concerning to committee that a national strategic organisation, which is expected to operate in most, if not all time zones, on a 24-hour basis cannot, as yet, achieve the minimum requirement towards cyber resilience and has no time frame in which to do so."
Among the report's 10 recommendations are calls for the government to require the cyber intelligence agency's security strategies be in place by June 2018, including daily backups of important data, multi-factor authentication and application hardening.
It said all public service entities should complete the Australian Signals Directorate's annual survey and called for more in-depth audits and reports to parliament on cyber security standards.
In recent years, the survey has only been completed by between 30 and 40 per cent of entities
Labor spokeswoman for cyber security Gai Brodtmann told Parliament the report's recommendations should be adopted urgently to ensure Australian organisations and data were secure.
"There is simply no excuse for any department or agency to ignore mandated security requirements," the Canberra MP said.
"Why is the government so blasé about this?"
Sign up for our newsletter to stay up to date.