Cyber security report card: Legacy systems exposed to modern hacking threats

Nearly four in five federal government entities are failing to meet the mandatory baseline for cyber security, as crumbling legacy technology and a lack of dedicated funding leave the Commonwealth’s digital architecture exposed to potential adversaries.

Subscribe now for unlimited access.

or signup to continue reading

Director-General of the Australian Signals Directorate Abigail Bradshaw. Picture by Gary Ramage

The Commonwealth Cyber Security Posture in 2025 report revealed a systemic compliance gap where only 22 per cent of agencies reached the required Maturity Level 2 across the Essential Eight mitigation strategies.

While the report by the Australian Signals Directorate (ASD) showed there was a slight increase from the 15 per cent success rate seen in 2024, progress was outpaced by a hardening of security controls necessitated by an evolving threat environment.

It resulted in a systemic compliance gap where 78 per cent of government bodies were currently unable to demonstrate a moderate level of protection against sophisticated cyber adversaries.

The Protective Security Policy Framework (PSPF) requirement has been in place since July 2022 for all non-corporate Commonwealth entities to achieve Maturity Level 2 (ML2), yet the vast majority remained non-compliant.

ML2 represented a robust security baseline designed to thwart adversaries that specifically targeted organisations using sophisticated, modern techniques.

This standard required the implementation of phishing-resistant multi-factored authentication, such as physical security keys, and mandated that critical software vulnerabilities were patched within 48 hours to ensure data integrity.

A key reason for the failure was the persistent reliance on legacy IT systems, which 59 per cent of entities indicated actively inhibited their ability to implement basic security measures.

While this was an improvement from 71 per cent of agencies in 2024, the path to modernisation was frequently blocked by structural hurdles.

The report identified lack of dedicated funding (34 per cent) as the single most significant reason for the continued use of legacy systems, followed by a lack of viable replacements (18 per cent) and a shortage of skilled personnel (16 per cent).

Beyond technical failures, the report exposed a concerning decline in specialised workforce development.

While general annual training increased to 87 per cent, the proportion of entities providing annual training for privileged users, those with the highest level of system access, dropped from 51 per cent to 45 per cent.

This retreat in specialised training occurred alongside a persistent culture of silence as only 35 per cent of entities reported at least half of their observed cyber incidents to the ASD.