Federal government entities are not reporting cyber incidents to the country’s main intelligence agency and more than three in four still haven’t put basic protections in place, a new report has found.

The Australian Signals Directorate’s (ASD) Commonwealth Cyber Security Posture in 2025 was tabled in Parliament last week after being handed to the government late last year.

It details the level of cybersecurity measures implemented across the near-200 government entities, based on a survey of these agencies.

The report reveals low rates of cybersecurity incident reporting to ASD.

In 2024-25, just 35 per cent of entities said they reported at least half of all cybersecurity incidents that were observed on their networks.

Under Protective Security Policy Framework (PSPF), Australian entities are required to report “significant or externally reportable” cybersecurity incidents to ASD.

“The low rate of reporting may be due to a proportion of entities experiencing a high number of low-impact incidents, which they do not consider to meet the reporting threshold,” the report said.

Reporting to ASD has slightly improved from last year, but dropped from 42 per cent in 2022-23.

Many public sector workers are also not reporting cyber incidents to their higher-ups, with nearly 40 per cent not reporting four in five cyber incidents to senior executives.

Basic cyber protections

The report also details the number of agencies that have implemented the Essential Eight cyber mitigation strategies.

Just over one in five entities have reached Level 2 maturity under the Essential Eight.

The Essential Eight spans four maturity levels, with level 2 focusing on preventing malicious actors “willing to invest more time in a target and…in the effectiveness of their tools”.

The agencies particularly lag when it comes to application control, user application hardening and multi-factor authentication, which only 34 per cent had implemented.

The presence of legacy technologies and systems is the main thing agencies said is holding them back in implementing the Essential Eight, with nearly 60 per cent listing this as the main impediment, followed by a lack of dedicated funding and a lack of a viable replacement.

“Findiings in this report indicate that, overall, Australian government entities have established corporate governance mechanisms to understand their security risks and prepare for cyber threats,” the ASD report said.

“The findings also indicate improvement is required in some areas and progress in others.”

The dangers of legacy tech

ASD said that legacy IT presents “significant and enduring risks to the cybersecurity posture of government entities”.

More than 80 per cent of government entities now have a cybersecurity strategy, up from three-quarters in the previous year.

And more than 90 per cent have addressed potential cybersecurity disruptions in their business continuity and disaster recovery planning, and nine-in-ten have an incident response plan.

While the majority of entities provide annual cybersecurity training, less than half also provide annual privileged user training.

ASD responded to 408 cybersecurity incidents reported to it by entities in 2024-25, accounting for a third of all incidents it responded to in the year.

A recent Audit Office of NSW inquiry into local governments found that many were “not effectively” managing cybersecurity risks, presenting an “unmitigated risk to the security of information and assets”.

The federal government has launched its 2023-2030 Cyber Security Strategy with an aim to make Australia one of the most cyber-secure nations in the world by the end of the decade and legislated the country’s first Cyber Security Act in late 2024.

This made it law to report ransom payments to the government and included initiatives to boost collaboration with the government during cybersecurity incidents.