The Australian Cyber Security Centre (“ACSC”) recently released its Annual Cyber Threat Report for the 2020-21 financial year (“Report”).
The Report contains an overview of the key cyber security threats affecting Australia, outlines the types of cybercrime and cyber security incidents and related statistics, and provides guidance on how Australian businesses can prepare for, protect against, and respond to cyber incidents.
What is the reported incidence of cyber threats in Australia?
In Australia, during the 2020-21 financial year, the ACSC observed:
- over 67,500 cybercrimes reports, an increase of nearly 13% from the previous financial year;
- this equates to one report of a cyber-attack every 8 minutes;
- self-reported loss from cybercrime totalled more than $33 billion;
- medium-sized businesses reported the largest average financial loss per report;
- over 1,500 cybercrime reports per month of malicious cyber activity related to the coronavirus pandemic (approximately 4 per day);
- more than 75% of pandemic-related cybercrime reports involving Australians losing money or personal information;
- nearly 500 ransomware cybercrime reports, an increase of nearly 15% from the previous financial year;
- fraud, online shopping scams and online banking scams were the top reported types of cybercrime; and
- an increase in the average severity and impact of reported cyber security incidents, with nearly half categorised as category 4 (substantial).
Key Cyber Security Threats and Trends
The ACSC identified the following key cyber security threats and trends in the 2020-21 financial year:
- Exploitation of the pandemic environment: the coronavirus pandemic continued to expand the boundaries of Australia’s computer networks, with a large percentage of the workforce shifting to remote working arrangements. The speed at which this occurred saw many organisations rapidly deploy new remote networking solutions, sometimes to the detriment of their cyber security. Various malicious cyber actors repeatedly took advantage of Australia’s heightened vulnerability during this time to conduct espionage, steal money and sensitive data, and disrupt the services on which Australians rely.
- Disruption of essential services and critical infrastructure: approximately one quarter of cyber incidents reported to the ACSC were associated with Australia’s critical infrastructure or essential services. Significant targeting of essential services such as the health care, food distribution and energy sectors has underscored the vulnerability of critical infrastructure to significant disruption in essential services, lost revenue and the potential of harm or loss of life.
- Ransomware: ransomware poses one of the most significant threats to Australian organisations. Ransom demands by cybercriminals ranged from thousands to millions of dollars, and their access to dark-web tools and services improved their capabilities. Extortion tradecraft evolved, with criminals combining the encryption of victim networks with threats to release or on-sell stolen sensitive data and damage the victim’s reputation.
- Rapid exploitation of security vulnerabilities: criminal cyber actors continued to compromise large numbers of organisations by prosecuting publicly disclosed vulnerabilities at speed and scale. Malicious actors exploited security vulnerabilities, at times within hours of public disclosure, patch release or technical write up.
- Supply chains: supply chains – particularly relating to software and services – continue to be targeted by malicious actors to gain access to a vendor’s customers. The threat from supply chain compromises remains high – it is difficult for both vendors and their customers to protect their networks against well-resourced actors with the ability to compromise widely used software products.
- Business email compromise (BEC): BEC continues to present a major threat to Australian businesses, especially as more Australians work remotely. Cybercriminal groups conducting BEC have become more sophisticated and organised, and these groups have developed enhanced, streamlined methods for targeting Australians. In the 2020-21 financial year, the average loss per successful BEC event increased to more than $50,000 – over 1½ times higher than the previous financial year.
Actions Australian businesses must take in this heightened threat environment
The ACSC listed some prioritised actions that Australian businesses should take to protect themselves against cyberattacks. These actions include, but are not limited to:
- Reporting all cybercrime and cyber security incidents: reporting will assist the ACSC in properly understanding the Australian cyber threat environment.
- Knowing your networks: all businesses must understand and review their networks to establish where valuable or sensitive information and infrastructure is located and apply appropriate cyber security measures proportionate to the risk of compromise.
- Patching within 48 hours where an exploit exists: malicious cyber actors monitor reporting of security vulnerabilities and use automated tools to regularly scan for and exploit network vulnerabilities. This means that organisations can no longer follow monthly patch update cycles and should prioritise patching to protect their networks from cyber security incidents. Businesses must ensure patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. Where that is not possible, it is important that organisations have robust cyber incident detection and response plans in place.
- Preparing for a cyber security incident: each Australian business should have an incident response, business continuity and disaster recovery plan in place. An incident response plan enables organisations to respond decisively to a cyber security incident, limit its impact and supports recovery. Testing the incident response, business continuity and disaster recovery plans provide an opportunity to review and improve in a controlled environment. Please see our article “Cyber Security: Prevention is the Best Cure” for further information on preparing for a cyber security incident.
Hamilton Locke’s Privacy and Data Security team can advise you and help protect your business against cyber security threats. As part of our “Data Breach and Incident Response System” (DBIRS) offering, we can assist you in identifying your current cyber security situation, reviewing your processes and advising where improvements can be made to ensure “best practice”. As part of DBIRS, we can also prepare an incident response plan for your business or conduct a review of your existing incident response plan to ensure your business is adequately protected against the growing number of cyber security threats. Please contact Alex Ninis or Sarah Gilkes if you require further assistance.
For more information, please contact Alex Ninis.