Making government more secure from cyber attacks requires leaders to make it a priority, an inquiry has heard.
Auditor-General Grant Hehir says an individual department’s risk of being hacked didn’t necessarily drive change.
Instead it needed to be directed by leadership, he told a parliamentary inquiry on Thursday.
“If it’s lower down the priority list of an entity, it doesn’t happen; it’s not much more complicated than that,” he said.
The inquiry is reviewing two Australian National Audit Office reports that examined the government’s cybersecurity approach.
Mr Hehir said the growing public awareness of cybersecurity was starting to pressure departmental heads to change.
He said culture, and not the size of the department, affected how seriously cybersecurity was taken.
“We’ve audited some quite small, single responsibility entities which have had a poor cybersecurity posture,” Mr Hehir said.
The Attorney-General’s Department, which enforces cybersecurity policies across government, admitted there was room to improve.
Thursday’s hearing comes during heightened anxiety over hacking as the Morrison government injects extra funding into cybersecurity.
Bureaucrats said they were expecting more action from government in the coming months.