The Queensland Auditor-General, in its latest report, revealed the state accounted for nearly a third of the 94,000 cybercrimes reported to the national body in 2022/23 — a figure disproportionate to its population.

Auditor-General Brendan Worrall warned government departments were not as prepared as they had to be, with some entities yet to test and exercise the plans they have in place while others relied on third-party providers to defend them against cyber crooks.

“Just having plans is not enough,” he said.

“They need to test their plans and readiness. They need to identify and address any skills gaps they have for dealing with cyber incidents.”

The sensitive data of many Australians have been exposed through a series of high-profile cyber breaches in recent times. This includes last week Ticketek cyber breach, which disclosed birth dates and full names of a significant number of people.

Nearly 200,000 Queenslanders had to have their drivers licences reissued after the personal information of 10 million current and former Optus customers were stolen by hackers in 2022.

Mr Worrall, in the report, said the state government had increased its investment in cyber security and much was now available to help entities protect themselves.

But the government bodies weren’t aware of what was available to them and while they had plans in place, none were as effective or complete as they needed to be.

The Auditor-General also warned entities “cannot delegate responsibility for managing their cyber risks” to third-party organisations, after it was found the five departments audited were leaning on external businesses for expertise.

Griffith University cybersecurity expert Dr David Tuffley said public entities needed to review and test their response constantly in order to keep up with the “constantly changing” modes of attack deployed by crooks.

“But that takes time and effort and resources … (and) a lot of these problems come back to insufficient funding,” Dr Tuffley said.

He said a lack of cybersecurity experts also meant there were thousands of job openings unfilled across the country, which is partly why companies and government bodies have to use third-party providers.

Mr Worrall made a total of 14 recommendations including for public sector entities to maintain a register of critical systems and information assets and putting in place proper crisis communication plans.

He also called for key governance documents to be changed to “formally recognise” that responsibility for cyber security rests with the public body’s chief executive or equivalent.

Originally published as Cyber crims target Qld as experts reveal gov not prepared for attacks