The nation’s top cyber agency revealed it received close to 94,000 cybercrime reports in the last financial year, equivalent to “one every six minutes,” as the cost to Australian businesses rose by 14 per cent.
Cybercrime is expected to cost the world about $17 trillion by 2025.
Hackers are getting more advanced every day, using automated bots to conduct scams like credential stuffing, credit card testing and data scraping.
Founder and CEO of Arkose Labs, Kevin Gosschalk, says criminals are doing “whatever it takes” to make as much money as possible.
“Criminals are after one thing, ultimately, making money, so they’re doing whatever it takes to make as much money as they possibly can,” he told Sky News Australia.
“One of the big adversarial threats we see is big scale attacks – like a human going in and making one fraudulent account or trying to get into one customer’s account, that’s one scale but if you can use a bot, automation tools, that can do it at millions of accounts instantaneously, that’s more profitable for the criminal, so that’s what they are setting up.”
The 2022-23 Cyber Threat Report, published on Tuesday, revealed the ASD received nearly 94,000 reports of cybercrime last financial year and responded to 1,100 “cyber security incidents” across the country.
In addition, Australia’s top cyber agency also answered more than 33,000 calls on the Australian Cyber Security Hotline – a 32 per cent increase on the previous year.
Australian businesses also saw an increase in the damage caused by attacks, with the average cost per business rising 14 per cent.
Medium sized businesses were the hardest hit, the ASD reported, facing an average cost of $97,200 per reported cybercrime.
Large businesses face an average of $71,600 per attack, while small businesses face an average of $46,000.
In a statement discussing the report’s findings, Defence Minister Richard Marles said cybercrime was causing “significant harm” to Australians as he reiterated the government’s commitment to combating the threat.
“The report demonstrates the persistent threat that state cyber capabilities pose to Australia. This threat extends beyond cyber espionage campaigns to disruptive activities against Australia’s essential services,” he said.
“The report also confirms that the borderless and multi-billion dollar cybercrime industry continues to cause significant harm to Australia, with Australians remaining an attractive target for cybercriminal syndicates around the world.
“It is clear we must maintain an enduring focus on cyber security in Australia. The Australian Government is committed to leading our nation’s efforts to bolster our cyber resilience.”
Among the other key findings from the ASD was a roughly seven per cent increase in notifications from the agency to entities being targeted by ransomware.
Cybercriminals attempting to steal and ransom data has been a major feature of hacks over the past two years, with hacks on Optus, Medibank and Latitude Financial all resulting in hackers demanding large fees from the companies in exchange for not publishing information.
The aftermath of those breaches also saw government, experts and the public question both the type and amount of data held by companies, with some calling for tougher regulation to prevent businesses from holding certain types of information on customers and clients.
However, KPMG cyber security partner Paul Black told Skynews.com.au that the issue was more complex than it appeared, as he revealed many companies were struggling with “the wild west of data.”
“What we continue to see is unstructured file servers, often containing HR records and internal information such as pricing and confidentiality agreements, where no one quite knows what is on them,” he said.
“At the same time, no one wants to go in and remove the information in case it’s needed, like the phone number of a former financial officer for example.
“It’s the wild west of data and often it’s only after hackers have obtained the data that companies will do a process to actually determine what was there.”
Mr Black explained it was difficult to legislate against the type of servers he described, as it was hard to determine where to draw the line between data that was and was not relevant to the operations of a business in some cases.
However, he said the government could look to restrict the total amount of data collected by companies on clients and customers, as well as measures that anonymised certain information to protect against hackers.
The cyber expert also stressed the importance of planning for breaches by major companies, explaining that the best test of a business’ ability to respond to a hack was to practice responding to “real situations.”
“The worst time to test is when the bad guys have already stolen the data,” Mr Black said.
“You need to really test and test a lot, understand how you would respond, who you would call, who you would work with in the event of a breach.
“Test against real situations – the most you will get out of a test is when you get a group of execs sitting in a room and sweating, because that’s real.”
In its report, the ASD also noted the importance of developing a “cyber-secure culture” within an organisation, as well as the need for strong partnerships between business and government to help mitigate the threat.
“Cyber security is increasingly challenged by complex ICT supply chains and advances in fields such as artificial intelligence,” it said.
“To boost cyber security, Australia must consider not only technical controls such as ASD’s Essential Eight, but also growing a positive cyber-secure culture across business and the community.
“The most effective cyber security is collaborative and partnerships are key to this work.”