Fortura Logo

ForturaIndustries

Government & Public Sector

When government systems fail, it’s not a bad customer experience. It’s citizens who can’t get paid, can’t get help, and can’t trust what they’re told.

Across the world, public sector agencies are under pressure to do more with less. Digital services, AI, open data, whole-of-government platforms, cloud migration and a threat environment that looks more like a battlefield than an IT issue.

The High stakes Of Compliance

USD 4.44M

Global average breach cost (2025)

USD 2.86M

Public sector average breach cost

1,113

Notifiable data breaches in 2024 (Australia)

84,700+

Cybercrime reports (ACSC 2024–25)

In 2025, IBM’s global Cost of a Data Breach report put the average cost of a breach at USD 4.44 million, with the public sector average at around USD 2.86 million—up 12% year-on-year. (Baker Donelson) The Australian Government sector was the second highest for privacy complaints and third highest for notifiable data breaches in 2023–24; the Privacy Commissioner reported 1,113 data breaches across business and government in 2024, up from 893 in 2023. (Australian National Audit Office)

The ACSC responded to more than 1,200 cyber security incidents and over 84,700 cybercrime reports in 2024–25, with an average of one report every six minutes. (Defence Ministers) ASD notified government entities 223 times in 2025 about potential malicious cyber activity—while many agencies still failed to report incidents back. (Cyber.gov.au)

Fortura exists so this doesn’t end with “We didn’t see it coming” on the front page.

Our Focus

Who We Work With

We support a broad range of public sector organisations across ANZ, including:
  • Federal and state/territory departments and agencies
  • Local government and councils
  • Statutory authorities and regulators
  • Health, education, transport and justice portfolios
  • Shared services and whole-of-government platforms
  • Government-owned corporations and critical infrastructure operators
  • NGOs and not-for-profits delivering government-funded services

If you’re accountable to citizens, Parliament, Cabinet or Ministers—and you depend on digital systems and data—this page is written for you.

Rising Expectation

The New Operating Reality for Government

The last few years have fundamentally shifted the risk environment for the public sector:
01

Everything is now a digital service

Tax, benefits, licensing, grants, case management, justice, health, transport—citizens expect frictionless, mobile-first experiences.

02

Data is the new “crown jewel”

Agencies sit on decades of identity, payments, health, education and justice data that is extremely attractive to criminals and foreign intelligence services.

03

AI is everywhere

From document triage and policy analysis to call centre bots and case-working assistants, AI is being adopted faster than governance can catch up.

04

Legislative expectations are rising.

The Cyber Security Act 2024 introduced new obligations under the 2023–2030 Australian Cyber Security Strategy, tightening requirements around critical infrastructure, incident reporting and government cyber maturity. (Department of Home Affairs Website)

All of this is happening while budgets are tight, legacy systems persist, skill shortages bite, and agencies are told to “move fast” on digital transformation.

For government, the mandate is simple but brutal: be open, be digital, be efficient—and be secure
Inside The Attack

How Attacks Actually Happen in the Public Sector

Most public sector compromises don’t start with a dramatic takedown of a national system. They start with something small:
  • A staff member reuses a personal password on a government SaaS platform.
  • A council contractor's laptop is stolen with cached access to internal systems.
  • A department spins up a new cloud workload for a pilot program and forgets to lock it down.

Behind the scenes, attackers—criminal and state-sponsored—are running continuous campaigns:

01

Reconnaissance at scale

Open data, social media, public org charts and tender documents give adversaries rich context on who does what, who has access, and where the weak spots are.

02

Identity and access compromise

Phishing, password spraying, credential stuffing and MFA fatigue attacks target public servants and contractors alike. Increasingly, adversaries use AI to customise lures to roles, projects and current events.

ASD’s 2024–25 reporting shows ransomware remains one of the most disruptive forms of cybercrime, with 138 ransomware incidents responded to across sectors—many involving government or critical infrastructure. (CyberPulse)

We’ve already seen the first public disclosure of AI-orchestrated espionage campaigns, where AI agents weren’t just used to write phishing emails, but to autonomously carry out parts of the intrusion. (Anthropic)

The public sector doesn’t just face yesterday’s attacks with today’s tools. It faces tomorrow’s attacks, right now.

Emerging Risk

AI: From Digital Hope to Attack Surface

AI is transforming government—whether you have a strategy or not.

On the service side:

  • Chatbots and virtual assistants supporting citizen queries
  • AI-assisted case triage, prioritisation and eligibility checks
  • Natural language tools for policy analysis, drafting and research
  • Computer vision for enforcement, compliance and infrastructure monitoring

On the risk side:

  • Shadow AI: Public servants quietly pasting sensitive content into public AI tools to “get things done faster”.
  • AI-generated phishing and scams: Highly tailored messages that mirror internal language and current policy programs.
  • Deepfake voices and video: Impersonating Ministers, senior executives or trusted partners.
  • Agentic AI in attacks: Autonomous or semi-autonomous AI agents used by adversaries to probe, test and exfiltrate from government networks. (Anthropic)

Research in 2025 showed that ungoverned AI systems are more likely to be involved in breaches and more costly when they are, with 97% of AI-related breaches lacking basic access controls. (IBM)

If your AI program sits outside your security program, you don’t have an AI strategy. You have an AI risk.

For the public sector, this isn’t just about compliance; it’s about maintaining legitimacy when citizens are already wary of how their data is used.

Compliance

Frameworks, Standards and the Governance Layer

Public sector cyber isn’t a greenfield—it sits inside a dense web of policies and frameworks.

Australia — key anchors

Protective Security Policy Framework (PSPF) – whole-of-government protective security, including information and cyber security.

Australian Government ISM and ACSC Essential Eight – technical baselines and maturity benchmarks.

Cyber Security Act 2024 – powers and obligations around critical infrastructure, incident reporting and government cyber maturity. (Department of Home Affairs)

Privacy Act, Notifiable Data Breaches scheme and sector-specific legislation (e.g. health, education, justice).

New Zealand

Government Protective Security Requirements (PSR) and NZISM

Privacy Act 2020 and sector-specific obligations

Global references

NIST Cybersecurity Framework (NIST CSF)

ISO/IEC 27001 and related controls standards

CIS Controls and other benchmarks

Fortura’s perspective as a challenger is that frameworks are necessary but not sufficient: they give you language and structure; they don’t, by themselves, tell you what to do first in your agency, with your systems and your constraints.

Costs of Compromise

The Cost of Getting it Wrong: Beyond the Numbers

The dollar figures matter. In the public sector, the average cost of a breach in 2025 was estimated at USD 2.86 million, and rising.

Heaviest costs are non-financial:

Service disruption

Payments delayed, licences and permits stalled, court or tribunal systems offline, emergency service dispatch impacted.

Citizen impact

Vulnerable people unable to access support, delays in benefits or case decisions, loss of trust in “digital government”.

Political and reputational damage

Media scrutiny, parliamentary inquiries, independent investigations and long-tail commentary.

Regulatory, Oversight and Audit Pressure

From privacy regulators, auditors-general and central agencies.

Add to that the supplier angle: as AI makes deepfake-enabled vendor interactions and synthetic onboarding easier and cheaper, supplier impersonation has become a recurring risk for government procurement and grant processes. (Cyber Daily)

For senior public servants, the real question isn’t “What will cyber cost us?” but:

What will it cost us—in money, legitimacy and service outcomes—if we don’t get ahead of this?
Horizon

The Next 3–5 Years For Government Cyber

Over the next few years, we expect three big shifts for government and public sector cyber:
2027

From “breach response” to “operational resilience”

The test won’t just be whether you had a breach—it’ll be whether critical services kept running and how quickly you recovered. Cyber will sit inside a broader resilience agenda, not off to the side.

2028

From “AI pilots” to “AI accountability”

Central agencies, auditors-general and privacy regulators will expect clear answers on how AI models are governed, trained, tested and monitored. Shadow AI will become a board- and Parliament-level concern.

2029

From “agency-by-agency” to “ecosystem defence”

More shared platforms, cross-jurisdictional initiatives and reliance on commercial partners will force whole-of-ecosystem risk management, including supply chain and data-sharing risks.

Fortura’s commitment as a challenger is straightforward:

  • Be honest about where your biggest risks really are
  • Be clear on which moves will actually matter
  • Be pragmatic about how to get from intent to execution in a public sector context

We’re not here to tell you to stop taking risk. We’re here to help you take the right risks—deliberately, transparently, and with your eyes open.

FAQ

Government & Public Sector

Fortura is a cybersecurity company delivering intelligence-led services today and building security platforms for the future.
Because they hold large volumes of sensitive data, run essential services and are often constrained by legacy systems and tight budgets. Attackers know disruption can create political and social pressure, which increases leverage.
They’re essential, but not sufficient. Many agencies are technically “aligned” on paper yet still struggle with visibility, incident response, supplier risk and AI governance. Fortura helps translate framework compliance into real-world resilience.
Most public sector clients start with a focused risk and exposure review covering key frameworks (ISM/PSPF/Essential Eight), attack surface, AI/shadow AI risks and critical suppliers. From there, we co-design a pragmatic roadmap and support architecture, testing, exercises and operations where needed.
AI is amplifying both sides. Agencies use AI to improve services and efficiency, but adversaries use it for better phishing, deepfakes, automated intrusion and large-scale reconnaissance. The biggest risk right now is ungoverned AI tools deployed faster than security and privacy controls.
We work at both levels—supporting central policy, whole-of-government initiatives and platform owners, and helping individual agencies execute in their specific context. The goal is alignment without assuming a one-size-fits-all solution.
Work with us

Fortura will be Supporting You Across Every Phase of your Security Lifecycle

No Sales Scripts. We'll Talk Through Your Situation.

If you're shaping strategy, assessing risk, or preparing for what's next, we'll help you get clear on priorities and act with confidence. Tell us what you're working through - we'll respond quickly.

Emailcontact@fortura.io
Response TimeWithin 24 hours
Office LocationSydney City/Parramatta/Remote
Phone *

By submitting this form, I understand my personal data will be processed in accordance with Fortura's Privacy Statement and Terms of Use.

Get Insights & Alerts

Get the latest news, research notes, practical guidance, and threat updates written for people making security decisions.

Fortura
Fortura

© 2026 Fortura. Operated by Fortura Labs Pty Ltd.
All rights reserved.