The number and sophistication of cyber threats have increased in Australia, making crimes like extortion, espionage, and fraud easier to replicate at a greater scale, according to the Australian Cyber Security Centre (ACSC) third annual threat report.
The ACSC received more than 76,000 cybercrime reports, an increase of nearly 13% from the previous financial year. This equates to one report every seven minutes, compared to every eight minutes last financial year.
“Australia’s prosperity is attractive to cybercriminals,” the ACSC said.
Small businesses lost an average of $39,555. However, medium-sized businesses with 20 to 199 employees lost the most on average, at $88,407, against $62,233 for large organisations.
The ACSC said this could be because “they were less likely than large organisations to apply cyber security mitigations”.
Malicious state actors also continue to seek sensitive information, including by targeting Australian small businesses and individuals, according to the report.
Individuals and organisations are not just targeted for their own data holdings; their networks can be weaponised against others. For example, in 2021–22, personal devices and small office or home office (SOHO) routers were used by foreign intelligence services to conduct espionage and theft of intellectual property.
Malicious actors can use these routers to conduct person-in-the-middle compromises or as a vector to target other networks. The ACSC estimated that at least 150,000 to 200,000 devices in Australian homes and small businesses are vulnerable.
It also highlighted an AFP initiative, Operation Dolos, that works with small and medium businesses that have been targeted by a business email compromise attack to continue to counter the international criminals typically involved.
When it comes to threats, businesses saw increased financial losses due to business email compromise (BEC) to more than $98 million, an average loss of $64,000 per report.
Meanwhile, ransomware groups have further evolved their business model, seeking to maximise their impact by targeting the reputation of Australian businesses.
The cost of ransomware extended beyond the ransom demands, and may include system reconstruction, lost productivity, and lost customers for businesses.
Increasing cyber resilience
Deputy Prime Minister and Minister for Defence Richard Marles said the increased attacks reflected global strategic competition and “regrettably, too many Australians have also felt its impacts”.
Mr Marles said the spate of cybercrimes was a “growing problem” causing significant damage to both big and small businesses as well as to individuals.
“The government considers cyber security and reinforcing our online resilience to be a national priority,” he said.
“In the face of rising threats to the [digitally] dependent Australian economy, cyber defence must be a priority for all Australians. The most effective means of defending against cyber threats continues to be the implementation of the Essential Eight cyber security strategies.”
The ASCS recommended that small and medium organisations should take initiatives to strengthen cyber resilience, with reviewing systems and training employees as the key priorities.
Businesses should review the cyber security posture of remote workers and their use of communication, collaboration and business productivity software and only use reputable cloud service providers and managed service providers.
Small businesses and individuals should also prioritise automated updates to devices and systems, which help prevent network compromises by even the most sophisticated actors.
Need help protecting your business?
My Business offers automated staff training, phishing simulations, tools, and resources to help protect your business from cyber scams and attacks. Learn more here.
