We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.
Cyber security maturity declines among Australian government agencies in 2024, as legacy IT systems hinder progress under the Essential Eight framework.
More Australian government agencies failed to meet the required levels of cyber security maturity in 2024 than in 2023, according to an assessment by the Australian Signals Directorate.
The ASD reported that only 15% of entities achieved Maturity Level 2 on Australia’s Essential Eight cyber security framework in 2024 — a sharp decline from 25% in 2023.
Under Australia’s Protective Security Policy Framework, agencies were required to implement all Essential Eight mitigation strategies to meet at least Maturity Level 2 by July 1, 2022. Some entities were also advised to consider whether their security environment warranted achieving the higher Maturity Level 3.
SEE: Private sector tech investment to be led by cybersecurity in Australia in 2025
Despite these requirements, the ASD noted that the 2024 results highlight that achieving Level 2 compliance “remains low” among agencies.
1
Semperis
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Large (1,000-4,999 Employees), Enterprise (5,000+ Employees)
Large, Enterprise
Features
Advanced Attacks Detection, Advanced Automation, Anywhere Recovery, and more
2
ManageEngine Log360
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Micro (0-49 Employees), Small (50-249 Employees), Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees)
Micro, Small, Medium, Large, Enterprise
Features
Activity Monitoring, Blacklisting, Dashboard, and more
3
Graylog
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees)
Medium, Large, Enterprise
Features
Activity Monitoring, Dashboard, Notifications
Government agencies going backward on cyber security mitigation
Australia’s Essential Eight framework outlines eight mitigation strategies to help entities reduce their vulnerability to security incidents and the impact of incidents if they do occur.
These measures include:
- Patch applications.
- Patch operating systems.
- Multi-factor authentication.
- Restrict administrative privileges.
- Application control.
- Restrict Microsoft Office macros.
- User application hardening.
- Regular backups.
The framework also describes four maturity levels’ characteristics, ranging from 0 to 3. Entities must meet a maturity level across all eight strategies to claim they have reached a higher maturity level.
SEE: Australia passes groundbreaking cyber security law
Where agencies are performing worst against the Essential Eight
The mitigation strategies where the lowest proportion of agencies reached Maturity Level 2 were:
- Multi-factor authentication (23%).
- Restricting administrative privileges (31%).
- Application control (36%).
Australian government agencies fared best against Maturity Level 2 for the following strategies:
- Restrict Microsoft Office macros (68%).
- Regular backups (59%).
- Patch operating systems (51%).
A 2023 update may have impacted results
The ASD suggested that several upgrades to the Essential Eight model in November 2023 may have contributed to agencies rating their maturity levels lower in 2024.
“Changes to the Essential Eight Maturity Model mean entities which had not yet implemented new requirements would record a reduction in maturity level compared to 2023,” the ASD said in the report.
For instance, 54% of agencies previously reported they were at Maturity Level 2 for Multi-Factor Authentication. New requirements for phishing-resistant MFA pushed the proportion down to 23%.
SEE: Are Australia’s public sector agencies ready for a cyber attack?
However, these updates were to “address cyber security threats informed by the evolution of tradecraft used by malicious actors,” which required advice “commensurate with the threat,” the ASD said.
Agencies not keeping up with Essential Eight upgrades will essentially be exposed to an increased risk of compromise by malicious actors and suffer greater impact if a compromise does occur.
Legacy IT also playing role in cyber security deficiency
There were some areas of co