The vast majority of Federal Government websites have poor levels of encryption, putting the private details of taxpayers at risk, an independent audit finds.

An audit of the websites by two independent systems administrators found only four government websites out of more than 850 fully protected visitor communications.

The results have surprised other internet security experts who said the Government needed to beef up their levels of encryption.

Last year, while standing in Australia's new cyber security centre in Canberra, Prime Minister Tony Abbott announced Australia's internet security policies would be put under scrutiny.

The cyber security centre had been announced the year before by former prime minister Julia Gillard, who promised a "world class" facility to tackle a growing overseas cyber threat.

Less than 1pc of websites pass pair's test

But it appears not all cyber issues are being looked at, as the two system administrators found when they reviewed the encryption capabilities of Federal Government websites.

After retrieving a list of more than 850 government domains via a Freedom of Information request, the pair scanned and reviewed the security of each of those websites.

They were looking for the basics, such as whether the site encrypted communications between the server and the user, similar to the way Twitter, Facebook or banks do.

And if they did provide encryption, the pair wanted to know if the sites used the latest software to protect against vulnerabilities or known weak encryption ciphers.

"Ninety per cent of the sites had no security at all," Ashley Hull, one of the those behind the security scan said.

"The ones which were secure were actually based on outdated software."

The pair said overall, only four of the websites passed their test — that's 0.47 per cent.

"The tests we run are fairly ... like, I must say ... low hanging fruit," Mr Hull said.

The systems administrators said the passport office, Commonwealth courts portal, the Fair Work Commission and my.gov.au had good security.

Space to play or pause, M to mute, left and right arrows to seek, up and down arrows for volume. Listen Duration: 5 minutes 3 seconds 5 m Listen to Will Ockenden's report. Download 9.3 MB

The rest, like the Department of Defence, Department of Finance and Department of Health need improvement, Mr Hull said.

Ironically, a website used to report online crime, the Australian Cybercrime Online Reporting Network (ACORN), had problems with its encryption certificate.

Analyst and computer expert Nigel Phair from the University of Canberra's Centre for Internet Safety said such examples were worrying.

"When you look at things like the ACORN network, where you're putting in a lot of personally identifying information about you and what has happened, for example, that doesn't pass," Mr Phair said.

"I think with a lot of these sites they really need to be looking at these types of things and looking to [become] https enabled."

'Disconnect' between advice and action

Mr Phair said it would not cost much to improve the security of the websites.

"A lot of people won't notice and a lot of people won't care but that shouldn't mean that you shouldn't enable it," he said.

"It's also a very good thing to do that's quite easy to do and would make people's online experience, I think, a whole lot more safe and a whole lot more secure."

Philip Smith, the other system administrator behind the HTTPSWatchAU website, hoped the site would spur the Government to increase security.

"I would love it if it would [increase security] and certainly we have seen, outside of government, some of the commercial websites we have put on here in the last couple of months ... have actually improved their support for encryption and https," he said.

The Australian Signals Directorate (ASD), as part of the Department of Defence, is responsible for providing advice to Australian government departments and agencies on internet security and encryption.

A spokesperson from Defence told the ABC's PM program that the ASD regularly provided guidance to "prevent and detect the occurrence of cyber threats".

But Mr Smith said their tests showed that for the public using an average government website, the advice appeared not to be getting through.

"There's certainly a disconnect there between the recommendations that the Government is putting out about using encryption and protecting yourself," he said.