Australia’s prime minister and cabinet office and attorney-general departments are vulnerable to cyber security incidents because they have not fully implemented key mitigation strategies, auditor-general Grant Hehir has warned in a report.

Nevertheless, the departments are continuing to strengthen controls for managing such occurrences, he added in a performance audit he conducted into the cyber security strategies of nine government departments.

Like the prime minister’s and attorney-general’s departments, the country’s sovereign wealth Future Fund Management Agency has not fully implemented the top four mitigation strategies. But it “is internally resilient as it has effective controls in place to support its ability to detect and recover from a cyber security incident,” he wrote.

The top four refers to application whitelisting, patching applications, restricting administrative privileges, and patching operating systems which the government’s signals department says would prevent at least 85% of targeted cyber intrusions if fully implemented.

There were 436 cyber security incidents Australian government entities reported to the signals department in 2019/20.

Hehir commented: “Malicious cyber activity has been identified as one of the most significant threats affecting government entities, businesses and individuals.

“Previous ANAO [Australian National Audit Office] audits have identified low levels of compliance with mandatory cyber security requirements under the protective security policy framework (PSPF).

“The implementation of cyber security risk mitigation strategies by the selected entities was not fully effective and did not fully meet the mandatory requirements of [the] PSPF.”

He made 13 recommendations to improve the government’s overall level of cyber security, most of which were agreed by the departments concerned.

In response to the auditor-general’s findings, the prime minister and cabinet department said it disagrees with the finding it is non-compliant on detailed implementation of security controls. The department argued it has validation processes in place which adhere to recommendations of the Information Security Manual and believes that meets Australian Cyber Security Centre guidance.

The attorney-general’s department said it considers “it has a robust framework in place to manage cyber security risks. Implementation of the top four mitigation strategies is part of a broader range of strategies implemented by the department.” 

Future Fund said it is committed to providing a secure cyber environment to safeguard Australia’s assets. “The agency expects to achieve full implementation of the top four mitigation strategies by the end of calendar year 2021,” it added.

 PrivSec Global, a live streaming event, is currently taking place, featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.