A number of government departments have been described as having "ad hoc" cyber security systems and are lagging behind, the audit office has found, despite malicious cyber activity being a "significant" government threat.
The Auditor-General's office has revealed the concerning state of cyber security management by 14 government entities, including federal departments, which had been left exposed to serious threats and data breaches.
In a report released on Friday afternoon, the audit office found the implementation of government-wide cyber security risk mitigation strategies had not been "fully effective" and capable intelligence agencies, which were required to assist the entities, had been failing to offer the needed support for them.
Under a mandatory security policy framework, departments were required to develop cyber security strategies adhering to four main categories: governance, information security, personnel security and physical security.
But the audit office found many had struggled to comply with the rules designed to protect sensitive government data from unauthorised access.
Among the worst offenders were the Education and Health Departments along with the Australian Trade and Investment Commission, which were all marked as "ad hoc".
The framework defined ad hoc as a partial or basic implementation of the mandatory security requirements while the top level, titled "embedded", was considered comprehensive and effective. None of the audited entities achieved the top rating.
The report also found Home Affairs and Attorney-General's Departments and Australian Signals Directorate had not worked to support the entities with putting into effect the strategies.
In response, the office recommended the three cyber and policy agencies be held accountable when the other entities did not implement the requirements.
"There is scope to further improve the accuracy of entities' [self cyber security] assessments and strengthen arrangements to hold entities to account for the implementation of cyber security mandatory requirements," the report read.
"Robust accountability arrangements are particularly important in absence of public accountability through reporting to the Parliament."
The report comes three months after a Parliamentary committee report, published in December, which determined only four of the 14 entities audited had complied with a mandatory security framework offered by the ASD's Australian Cyber Security Centre.
Prime Minister Scott Morrison fronted reporters in June 2020 with revelations an unnamed foreign government had launched a cyber attack against a number of government agencies.
Labor cyber security spokesman Tim Watts and committee deputy chairman Julian Hill said six months later it was time for Mr Morrison to mitigate the increasing threat.
"The prime minister has never missed a photo op on his many announcements when it comes to talking about the cyber security threats facing our nation," Mr Watts and Mr Hill said in a joint statement.
"But he hasn't been there for the follow up to ensure cyber resiliency inside his government in the face of these increasing threats.
"Now that Parliament has done the prime minister's job for him, he must immediately accept and act on this report's recommendations."
Our journalists work hard to provide local, up-to-date news to the community. This is how you can continue to access our trusted content: