A cyber crime was reported every six minutes and cost small businesses an average of $46,000 last financial year, the Australian Signals Directorate says, as incidents surged 23 per cent.
The federal agency responsible for cyber crime fielded 94,000 incident reports in 2022–23 and the self-reported cost to businesses increased by 14 per cent over each of the past two years.
Its Cyber Threat Report 2022-2023 found the cost of cyber crime grew the most for small businesses that recorded an average of $45,965, up 53 per cent from $29,901 in 2020–21.
Costs for medium businesses stayed steady in recent years, averaging $97,203 last financial year. Large businesses were less financially impacted than medium businesses, with their costs averaging $71,598 during the same period.
The report said cyber crime rates were highest in Queensland and Victoria, states that experienced “disproportionately higher rates of cyber crime relative to their populations”. However, the highest average reported losses were experienced by victims in NSW (around $32,000) and the ACT (around $29,000).
The ASD’s cyber security hotline also received 90 calls on average every day, with average call volumes up 32 per cent compared to 2021-22.
The ASD attributed the surge of attacks to the “professionalisation” of actors in the “cyber crime industry”.
“The professionalisation of the cyber crime industry means cyber criminals have been able to increase the scale and profitability of their activities,” the ASD said.
“The accessibility of criminal marketplaces has also lowered the bar for entry into cyber crime, which has made cyber crime more accessible to a wide range of actors.”
Businesses reported email compromise, business email compromise (BEC) fraud and online banking fraud as the most common cyber crimes they experienced.
Data breaches were also common, accounting for 13 per cent of all incidents reported to the ASD.
The report found that data breaches generally involved “opportunistic intrusions” by hackers exploiting a single internet-facing application, using a “smash and grab” technique to steal data directly. In some cases, hackers would then move “laterally” to find more data to exploit.
Hackers tended to steal contact, identity, health and financial information as well as tax file numbers and other commercially sensitive material, and an average of 120 gigabytes of data was affected in each breach.
Ransomware only accounted for 10 per cent of all cyber security incidents but was the most “destructive” threat nationally, with “professional, scientific and technical services”, retail trade and manufacturing sectors the most affected.
The report said AI presented new data and cyber security risks.
“Profit-driven cyber criminals continually seek new ways to maximise payment and minimise their risk, including by changing their tactics and techniques to mask their actions and extract payment from victims,” it said.
“Malicious cyber actors could use AI tools to augment their activities. A cyber criminal may be able to produce low effort, high quality material for phishing attacks. AI could also be used to create fraudulent deep fake content like voice and video clips, or to create malware.”
However, the ASD said AI could also help businesses stay on the offensive by sorting through large amounts of logs and data to look for suspicious behaviour, identify malware and block exploitation attempts. It could also help triage information and automate security tasks.
“Entities wanting to adopt AI tools should treat them with the same care as any other ICT service, using a risk-based approach,” it said.
Defence Minister Richard Marles said the ASD’s report showed that Australians remained an attractive target for cyber criminal syndicates around the world.
“This report presents a clear picture of the cyber threat landscape we face and is a vital part of Australia’s collective efforts to enhance our cyber resilience,” he said.
“The report also confirms that the borderless and multi-billion dollar cybercrime industry continues to cause significant harm to Australia … it is clear we must maintain an enduring focus on cyber security in Australia.”
You are not authorised to post comments.
Comments will undergo moderation before they get published.