The Australian Signals Directorate (ASD) released its annual Cyber Threat Report on 14 November 2023, and it makes for sobering reading. It’s probably no surprise that cyber attacks are increasing, as is the scope and scale of the actors involved.
Cybercrime is big business. In fact it’s a multi-billion dollar industry that impacts millions of Australians, including individuals, businesses and governments. Harms from cybercrime often go beyond financial and reputation to personal health and legal issues.
We’ve summarised some of the key takeaways from the report, along with ASD’s recommendations on how to be cyber-safe and resilient for organisations.
National impact
State actors focused on critical infrastructure – data theft and disruption of business. E.g., Russia’s Federal Security Service’s use of ‘Snake’ malware for cyber espionage.
Australia remains an attractive target for cybercriminals. Last year’s ASD Cyber Threat Report mentioned part of the reason is because Australia has some of the highest median wealth per adult in the world.
The Federal government had the highest number of reported cyber security incidents, followed by State and local government and professional, scientific and technical services. The report points out this could be because Government sectors have strict reporting obligations.
Cyber threats
The top three cybercrime types for Australian businesses were:
- email compromise
- business email compromise and;
- online banking fraud.
Ransomware is still the most common and destructive cybercrime threat—over 90% of extortion-related cyber security incidents involve ransomware.
Phishing is still one of the most common and effective techniques cybercriminals use.
The top three organisations reporting cybercrimes through ReportCyber were Retail trade, Construction, Professional, scientific and technical services.
Complex ICT supply chains and advances in AI are challenging cyber security.
One in 5 critical vulnerabilities were exploited within 48 hours. This was despite patching or mitigation advice being available.
Costs of cybercrime
The average financial loss for an organisation in Australia from each business email compromise incident was $39,000. And the average cost per reported cybercrime incident for medium businesses was $97,200 and over $71,600 for large businesses. This is an average increase of 14% from the previous year.
The total self-reported losses due to each business email compromise incident was almost $80 million.
The average financial loss from each business email compromise incident was $39,000.
Australians lost over $3 billion to scams in 2022. Older Australians aged 65 and over lost more money to scams than other age groups.
Recommendations
To boost cyber security, Australia must consider not only technical controls such as ASD’s Essential Eight but also growing a positive cyber-secure culture across business and the community.
Organisations should:
- mandate training staff on cyber security matters, particularly how to recognise scams and phishing attempts
- implement clear policies and procedures for workers to prevent business email compromise.
- review the cyber security posture of remote workers, including their use of communication, collaboration and business productivity software.
- regularly test cyber security detection, incident response, business continuity and disaster recovery plans (this is a requirement of information security frameworks such as ISO 27001 and SOC 2)
- report cybercrime and cyber security incidents to ReportCyber.