A recent audit by the Victorian Auditor-General's Office (VAGO) has found that no Victorian government agencies have complete and accurate IT server inventories, leaving them vulnerable to cyber threats.

The October 2025 report, "Cybersecurity of IT Servers," examined 10 government departments and Cenitex (the state-owned IT services provider) and found significant gaps in their server security measures.

"A complete and accurate server inventory is a critical foundation for effective cybersecurity," states the report.

"Without this, agencies cannot reliably apply, manage or monitor the technical security controls needed to protect their servers."

The audit revealed that 25% of servers reported by agencies have operating systems that are unsupported and not receiving automatic security updates. A further 11% of server entries had unknown operating systems.

All agencies were found to have low maturity in their technical security controls when measured against industry benchmarks such as the Microsoft Cloud Security Benchmark (MCSB).

Six agencies use automated asset discovery tools to identify servers, but none had these tools configured to cover their entire server environment.

"All agencies have outdated operating systems and some servers that lack mature technical security controls," the report concludes. "These gaps expose agencies to cyber threats and increase the risk of successful cyber attacks."

VAGO made three recommendations, including that all agencies improve their tracking of IT servers and strengthen technical security controls. It also recommended the Department of Government Services issue guidance on minimum requirements for server security.

According to the report, in 2023, 9 out of 10 Victorian Government organisations experienced a cyber incident.

The full report can be downloaded here