A concerning cyber security report, tabled in parliament on Wednesday, has revealed that Victoria’s public sector is failing to block cyber security threats, resulting in major disruptions to critical services.

The Victorian Auditor-General’s Office (VAGO) investigation found a series of government agencies do not have fully effective device controls, don’t understand services provided by third-parties and are not effectively tapping into the public sector’s extensive resources to address cyber security risks.

The findings come after a string of alarming breaches, including a cyber attack on multiple Victorian hospitals in September 2019 which saw surgeries delayed after booking systems were shut down for more than 24 hours.

Fire Rescue Victoria in December 2022 also fell victim to a sweeping cyber attack that resulted in leaks of staffers personal information and data about people who had applied for positions.

The breach ignited an outage of FRV’s computer dispatch system and phone lines, forcing firefighters to rely on emergency alerts from their mobile phones or radio messages.

The report also noted the infamous 2022 Optus data breach, which sensationally revealed 10 million past and existing customers’ addresses and driver's licence numbers.

VAGO recommended that the Department of The Government Services and Office of the Victorian Information Commissioner expand its security measures for all employees on all devices used to access public sector resources, including personal computers and phones and mobile devices.

“Successful attacks on Victorian Government agencies have seriously disrupted critical services,” the report warned.

Ninety-five per cent of user accounts at audited agencies, or 617,000 employees, did not have multi-factor authentication (MFA), with only half of the agencies requiring all staffers to use MFA.

“There are over 3,000 entities that deliver services to the public,” it states.

“Without a co-ordinated approach, many agencies are duplicating their efforts and not using the public sector’s economy of scale to efficiently manage cybersecurity risks.

The audit and report, which came at a price of $710,000, involved five government departments, including the education and health department, Moorabool Council, South East Water, Cenitex, Grampians Health Horsham and the Office of the Victorian Information Commissioner.

The Department of Government Services said it accepted the recommendations directed to it in the report.

“Cybersecurity is a priority and we are investing to further build capability and performance across government,” a government spokesperson said.

“The new Cyber Defence Centre provides the ability to detect and block threats in real time.”