ASD reported this. Only 15% of institutions achieved Maturity Level 2. On Australia’s essential eight cyber security frameworks in 2024 – a sharp drop from 25% in 2023.
Under Australia’s safeguards security policy framework, agencies were required to implement all eight mitigation strategies required to meet at least Maturity Level 2 by 1 July 2022.
See: Private sector tech investment to be led by cybersecurity in Australia in 2025
Despite these requirements, ASD noted that the 2024 results highlight that Level 2 compliance “remains low” among agencies.
Government agencies are retreating in terms of reducing cyber security.
of Australia The essential eight The framework outlines eight mitigation strategies to help organizations reduce security incidents and their impact when incidents occur.
These steps include:
- Patch applications.
- Patch operating systems.
- Multi-factor authentication.
- Limit administrative privileges.
- Application control.
- Limit Microsoft Office macros.
- User request strict.
- Regular backups.
The framework also describes characteristics of four maturity levels ranging from 0 to 3. Organizations must meet maturity levels across all eight strategies to claim that they have reached a high maturity level.
See: Australia passes cyber security law
Where agencies are performing worst against the essential eight.
Mitigation strategies where the lowest proportion of agencies had reached Maturity Level 2:
Australian government agencies performed best against Maturity Level 2 for the following strategies:
- Limit Microsoft Office macros (68%).
- Regular backups (59%).
- patch operating systems (51%).
Results may be affected by 2023 update.
ASD proposed. Several upgrades to the Essential Eight The November 2023 model has helped agencies reduce their maturity levels in 2024.
“Changes to the required eight maturity models mean that institutions that have not yet implemented the new requirements will record a decline in maturity levels compared to 2023,” ASD said in the report.
For example, 54% of agencies previously reported that they are at Maturity Level 2 for multi-factor authentication. New requirements for phishing-resistant MFA pushed the ratio down to 23%.
See: Are Australia’s public sector agencies ready for a cyber attack?
However, these updates were to “address cyber security threats informed by the evolution of tradecraft used by malicious actors”, which required “risk-specific” advice.
Agencies that do not maintain the eight essential upgrades will essentially be exposed to an increased risk of compromise by malicious actors and will have a greater impact if a compromise does occur.
Legacy IT is also contributing to the lack of cyber security.
There were some areas of concern for the ASD, including the volume of incident reports it received.
- Percentage of reporting institutions Security incidents ASD remained low, with only 32 percent reporting at least half of the incidents observed on their networks in 2024.
- ASD also said that the proportion of organizations implementing effective email encryption fell from 43% to 35%, according to scans conducted to assess cyber hygiene improvements.
However, the use of legacy systems greatly contributed to the ability of many agencies to implement the Essential Eight. In 2024, 71 percent of institutions indicated. The use of legacy technologies had affected their ability to implement the Essential Eight. – Increase from 52% of institutions in 2023.
The most important reason organizations still use legacy IT is:
- Lack of upgrade priority (25%).
- Inadequate dedicated funding (24%).
- Lack of viable alternatives (16%).
- System termination time (16%).
In the report, the ASD said the ongoing problem with legacy IT in public sector agencies presented “significant and enduring risks to the cyber security posture of Australian government bodies”.
“Legacy IT is more vulnerable to cyber-attacks because vendors do not support the development of security updates, or limit security services,” ASD said.
“Malicious actors may be able to compromise legacy IT. And use it to access more advanced systems in the IT environment.
ASD says the agencies are doing some things right.
Australian government agency cyber security positions are “well established in some areas, and require improvement in others,” the ASD said. He cited the establishment of corporate governance mechanisms to understand security risks and prepare for cyber threats as a positive area.
The report found that most had planned for a cyber security incident and were prepared to respond:
- In 2024, 75% of organizations had a cybersecurity strategy, up from 735 in 2023.
- 86% of organizations address cybersecurity barriers in their business continuity and disaster recovery planning, up from 83% in 2023.
- 86% of organizations had an incident response plan, up from 82% in 2023.
ASD called on the public sector to improve security maturity.
ASD concluded that agencies should continue to implement the required eight mitigation strategies in their networks upgraded to at least Maturity Level 2 in accordance with current requirements.
It also recommended that Australian public sector agencies increase reporting of cyber security incidents and share cyber risk information with ASD, implementing strategies to manage legacy IT now and in the future. Have, and maintain an incident response plan and implement it at least every 2 years.