Government entities not reporting cyber incidents to ASD

Most Australian government agencies are failing to fully report cyber security incidents to the nation's signals intelligence agency, which risks undermining situational awareness around protecting critical infrastructure from state-sponsored threats.

Only 35 percent of federal entities reported at least half of their observed cyber security incidents to the Australian Signals Directorate (ASD) during the 2024-25 financial year, according to the annual Commonwealth cyber security posture report.

"The percentage of entities reporting cyber security incidents to ASD remained low," the intelligence agency noted.

That figure represents a marginal increase from 32 percent the previous year.

Persistent underreporting risks preventing ASD from maintaining comprehensive threat intelligence across government networks.

Without visibility into the full scope of cyber incidents, the agency cannot identify emerging attack patterns and provide timely mitigation advice to vulnerable entities.

"Any degradation in the quantity or quality of information reported to ASD reduces our capacity to support the entity to mitigate the impacts of cyber compromise," the report states.

The low reporting rate persists despite ASD responding to 408 cyber security incidents from government entities during the financial year.

These incidents represented a third of all cyber security events ASD handled nationally; it also frequently assists private sector organisations that are attacked.

The problem occurs even though 62 percent of entities reported they inform their senior executives of at least 80 percent of incidents.

Under the Protective Security Policy Framework (PSPF), non-corporate Commonwealth entities must report significant or externally reportable cyber security incidents to ASD.

However, many of them could be experiencing high volumes of low-impact incidents that they see as below the reporting threshold.

The gap in incident visibility occurred despite ASD notifying government organisations 223 times during the year of potential malicious cyber activity detected through the agency's own monitoring capabilities.

Other topline findings

Beyond the reporting failures, the majority, or 59 percent, of federal agencies struggle with legacy IT that prevents them implementing essential security controls.

Insufficient dedicated funding and lack of viable replacement options were given as the primary barriers to modernisation in response to an ASD report.

The proportion of entities achieving Essential Eight (E8) Maturity Level 2 across all mitigation strategies increased to 22 percent from 15 percent in 2024.

While this is an improvement, reaching E8 Maturity Level 2 has been mandated for non-corporate Commonwealth agencies since July 2022.

A government organisation must implement all eight strategies set out by the ASD to reach Maturity Level 2.

This includes applications and operating system patching, multi-factor authentication (MFA), restricted administrative privileges, application control, restricting Microsoft Office macros, user application hardening and regular backups.

Substantial E8 framework updates in November 2023 increased the technical requirements for phishing-resistant MFA and application controls.

Meanwhile, strategic planning showed stronger results, with 82 percent of entities having a formal cyber security strategy.

Business continuity planning also improved, with 92 percent of entities addressing cyber security disruptions in disaster recovery plans.

However, supply chain risk assessment declined slightly, with 70 percent of entities performing assessments for applications and IT equipment, down from 74 percent in 2024.

ASD recommends that government entities prioritise effective logging capabilities, implement legacy IT management strategies, and increase cyber security incident reporting.

The agency also urges organisations to begin preparing for post-quantum cryptography by identifying and assessing cryptographic algorithms requiring transition before 2030.

Participation in ASD's Cyber Security Partnership Program became mandatory for non-corporate Commonwealth entities in July 2024.

As of 30 June 2025, 99 percent of these entities had joined the programme.

ASD first published a cyber security posture report for government agencies in 2020.