Nine in 10 government agencies report cyber incidents

It was also found agencies did not have fully effective Microsoft 365 cloud-based identity and device controls, leaving them more susceptible to attacks.

"This is because agencies cannot stop malicious users from using unsecured accounts and noncompliant devices to access their networks," according to a report tabled in parliament on Wednesday.

The auditor warned cyber attacks could cause data leaks, disrupt communication networks and shut down water, health and other critical facilities.

It examined a range of agencies for its cybersecurity report including government departments, a local council, a water authority and a health service.

The auditor found not all agencies properly understood and oversaw cybersecurity services it got from third-party providers.

"An agency can use a third-party service provider to manage their cybersecurity services. But the agency is accountable for its overall cybersecurity risks," the auditor said.

It also found Victoria's public sector did not use its size and scale to co-ordinate a more united front against cybersecurity risks.

The auditor made seven recommendations, all of them accepted by agencies either in full, in principle or with qualifications.

"While our recommendations are directed to audited agencies, we expect all Victorian public sector agencies to implement them where appropriate," the auditor said.

Among the recommendations, the public sector was urged to work together to put out guidance about cybersecurity, extend cyber hubs and security operations centres, complete a risk assessment and address technical weaknesses.

Agencies were also encouraged to cast a closer eye over third-party cybersecurity services.

Victoria's Department of Premier and Cabinet reported that 90 per cent of state government agencies experienced cybersecurity incidents in 2022, the auditor said.

License this article