https://www.abc.net.au/news/2020-06-20/australian-departments-routinely-audited-for-cyber-readiness/12375050
Some (most I would suggest) IT managers are incompetent and that is why there are vulnerable systems out there.
Example 1. I personally knew a bloke who took charge of the Victorian Government's main website. The front page showed a map of Victoria with the slogan "Victoria - The Place To Be". Hackers easily modified the front page to show a Real Estate "SOLD" banner on an angle across the front page . This was at a time when the state government was selling off our vital assets and real estate to foreigners. There was next to no security on the website. The hack was hilarious and it hit the news. The defaced web page stayed hacked for over a day.
Example 2. I suffered under an IT manager who literally did not know the difference between bits and bytes. He ran the worst IT department I have ever seen . The Internet was so slow, engineers had to go home to download datasheets on a USB stick, which compromised security. I could write a book on him.
Example 3. An IT manager failed to have any UPS battery maintenance processes. One day when the mains power did fail, 73 servers crashed. After that he thought he might need to replace the dead batteries in all the UPS's. His department was formally called "Information Systems", but everyone including the department themselves called it "IS" .
Example 4. The Victorian Dept of Education spent megabucks on very expensive firewalls for each school even for tiny country schools with 20 kids in them (~20K each?). No training provided. No support. An IT guru I know that was involved said a $200 router/firewall would have done the same job and would have been much easier to set up.
Example 5. The recent census was a huge debacle by the federal government. They failed to estimate the peak demand on census night and the system crashed, being out of order for weeks. They blamed hackers. If it were hackers as well, they were ill prepared. They had to extend census night for a month.
To be fair, there are a few IT people I have come across that are worth their salt. Some are brilliant. It seems genuine enthusiasts are more valuable, irrespective of qualifications. Good hackers who played around with Commodore 64's or the TRS-80 in their younger years and know how a PC and network function, seem to have the knack. Two of the best IT boffins I have known did not have degrees. One big reason why the EEVBLOG is so good: It attracts people with the knack like bees to a honeypot.
In my last job before retirement, we had one computer which was only used for operating the equipment that was our primary reason for existing.
This was not connected to the network, or the Internet, & had a proprietary program used to control the equipment.
We also had a contracted IT bloke, who would come in of a night every few weeks, do updates on the PCs & the Server.
One morning, I came in, to find the operators in a panic, because the control PC was not showing the whole control window, especially the equipment "on & off" functions.
I fiddled around, & got that back, but another problem arose, in that, every 3 minutes or so, the required display would disappear, replaced by a generic "Windows" one, unless the operators wiggled the mouse a few times.
I bailed on that one, & went to tell the Boss.
She was already preparing to ring the IT guy, as none of the office PCs worked!
On another occasion, after he had been, I sent an email to a supplier, & was amazed to see it rejected by our Server, due to "Racial vilification".
What!!
On investigation, I found that if I stood on one leg, scrinched up my eyes, & held my head just so, it just, sorta looked like the supplier's name & his ABN number was ever so slightly like a very nasty comment about indigenous people.
Astounded by this, I sent the Boss an email saying "The bloody thing rejected my email"
You guessed it----rejected for "profanity!"
I dragged my aged bones down the stairs to tell the Boss.
Again, she was ahead of me, & was on the phone to the IT guy, with flames pouring out of her mouth------not a happy lady!!
x 10
Ok, the IT guy was useless, by why anyone thought providing a censorship function to the email program was a good idea, is beyond me!
Previous to that, I worked at a place where they were paranoid about their "intellectual property", to the extent that they wouldn't even give us schematics of their "mother board" (which was actually an interface board--all the real "smarts" were in a couple of PCs).
The IP in that board was all "Public Domain" stuff straight from the "National Semiconductors" handbook!
They were always worried about getting "hacked", & didn't like it when I pointed out somebody could break into the place with a "sharp fingernail", leave a small TV camera over one of the IT guy's desk, (or, I suppose, use a key logger, but I'm an old TV person), capture all his keystrokes when he logged in to his PC, come back in the next night, log in, & "have the run of the place", software wise!
Physical security was non existent--- from memory, they "lost" a laptop at one stage.
They kept a bunch of software guys on call to help customers with their problems, but most of the time, they were dealing with hardware problems which they had no expertise in.
The software itself was rugged, but some of the hardware was seriously dodgy!