We consulted with the audited agencies and considered their views when reaching our conclusions. The agencies’ responses are in Appendix A.
We conduct performance engagements that assess whether public sector agencies have efficient, effective, economical and compliant programs and services.
Download a PDF copy of Appendix C: Audit scope and method.
Download a PDF copy of Appendix B: Abbreviations, acronyms and glossary.
Download a PDF copy of Appendix A: Submissions and comments.
The public sector does not use its size and economy of scale to address cybersecurity risks in a coordinated way. Agencies have recognised the need to establish a whole of government approach but need to do more to improve the public sector’s cybersecurity.
Agencies are not adequately prepared to prevent cyber attacks. This is because they have not correctly configured all of their Microsoft 365 cloud-based identity and device controls.
Identity and device controls are 2 pillars of the zero trust model. These controls help an agency:
Public sector agencies are constantly at risk of cyber attacks.
Microsoft reports and analyses 43 trillion threat signals for its cloud computing products every day.
Cyber attacks can:
This section summarises our key findings. Sections 2 and 3 detail our complete findings, including supporting evidence.
In this report we do not specify which findings relate to which agency given the sensitive nature of the weaknesses we observed. But we have given each audited agency a detailed report about their own control deficiencies.
When reaching our conclusions, we consulted with the audited agencies and considered their views. The agencies’ full responses are in Appendix A.
We made 7 recommendations to address 3 key findings. The relevant agencies have accepted the recommendations in full or in principle or with qualifications. While our recommendations are directed to audited agencies, we expect all Victorian public sector agencies to implement them where appropriate.