Nearly three-quarters of government agencies are vulnerable to cyber threats with many using "ad hoc" protection and failing to undertake mandatory security measures, a parliamentary committee has found.
It follows just months after the Prime Minister announced a number of Australian organisations in the private and public sector were the target of "sophisticated" large-scale cyber attack.
The committee report, published in December, comments on the findings of two Auditor-General reports into the government's handling of cyber security resilience among its departments, agencies and corporate entities.
It found an overwhelming majority of government departments had either not complied with directions from the Australian Signals Directorate or had limited measures in place.
Of the 14 government entities audited, only four had complied with a mandatory security framework offered by the ASD's Australian Cyber Security Centre.
Government departments and agencies were also criticised for low levels of adoption, with 73 per cent of them reporting "ad hoc" or "developing levels of maturity".
"These findings are consistent with the conclusions in performance audits of cyber security, which have also consistently identified non-compliance," the report read.
"With cyber security being an area of government priority for many years, these findings are disappointing."
The committee recommends more stringent reporting measures be put in place and the audit office conduct annual reviews into the compliance of cyber security measures.
The Auditor-General Grant Hehir noted in a May 2020 public hearing the office had undertaken a large number of cyber security audits into government agencies because it was concerned about non-compliance.
Mr Hehir said it also highlighted possible issues with the framework it was all based on.
"The level of work we do is a reflection of our concerns about the level of compliance within the sector," Mr Hehir said in May.
"It goes not just to individual entities but to the effectiveness of the framework."
Prime Minister Scott Morrison previously confirmed in June a number of government agencies had been the target of a cyber attack orchestrated by an unnamed foreign government.
The attack affected a number of essential service and critical infrastructure providers along with industry, education and health sectors but details of what had been impacted were light.
Mr Morrison said the threat was not new but its frequency had been increasing.
Labor cyber security spokesman Tim Watts and committee deputy chairman Julian Hill said the report was a reminder much work still needed to be done in order to secure the government's cyber resilience.
"The Prime Minister has never missed a photo op on his many announcements when it comes to talking about the cyber security threats facing our nation," Mr Watts and Mr Hill said in a joint statement.
"But he hasn't been there for the follow up to ensure cyber resiliency inside his government in the face of these increasing threats.
"Now that Parliament has done the Prime Minister's job for him, he must immediately accept and act on this report's recommendations."