Download a PDF copy of Appendix B: Abbreviations, acronyms and glossary.

Download a PDF copy of Appendix A: Submissions and comments.

The public sector does not use its size and economy of scale to address cybersecurity risks in a coordinated way. Agencies have recognised the need to establish a whole of government approach but need to do more to improve the public sector’s cybersecurity.

Agencies are not adequately prepared to prevent cyber attacks. This is because they have not correctly configured all of their Microsoft 365 cloud-based identity and device controls.

Cyber attacks

This section summarises our key findings. Sections 2 and 3 detail our complete findings, including supporting evidence.

In this report we do not specify which findings relate to which agency given the sensitive nature of the weaknesses we observed. But we have given each audited agency a detailed report about their own control deficiencies. 

When reaching our conclusions, we consulted with the audited agencies and considered their views. The agencies’ full responses are in Appendix A.

We made 7 recommendations to address 3 key findings. The relevant agencies have accepted the recommendations in full or in principle or with qualifications. While our recommendations are directed to audited agencies, we expect all Victorian public sector agencies to implement them where appropriate.

Download a PDF copy of Appendix: Abbreviations, acronyms and glossary.