On average, one cybercrime is reported to the Australian Signals Directorate every six minutes – and cybercrime is on the rise. In 2022-23, 94,000 cybercrimes were reported, 23 per cent more than in the previous year; and the average cost of cybercrime has increased by 14 per cent.

Nevertheless, there are ways both businesses and individuals can protect themselves, such as signing up to the ASD’s free advice program.

“We actually have a lot of opportunity to get our [cyber-]hygiene better and make Australian organisations a harder target,” Stephanie Crowe, First Assistant Director-General Cyber Security Resilience, said. “That will really shift the dynamic.”

The public are far more aware of cybersecurity than they were five or 10 years ago, Ms Crowe said. However, the increase in the digitisation of services and the deployment of devices since the COVID-19 pandemic increases opportunities for cybercriminals to exploit networks.

“Cybercriminals are very opportunistic; they will go after companies, individuals, and entities that have publicly known vulnerabilities, and they’ll use very commonly available tradecraft and tools to go after those vulnerabilities,” Ms Crowe said.

“So it’s not any sort of sophisticated, advanced capability we’re seeing from the cybercriminal cohort. It’s all tools that they can buy on the dark web for a relatively low price, and it’s all through really basic vulnerabilities in the environment.”

The cybercriminal might be a hacktivist sitting in a basement; a member of a significantly resourced and organised criminal group; or even a state adversary.

“All of them have capabilities to compromise and gain information from networks, although their resourcing and intent might be slightly different,” Ms Crowe said. “Cybercriminals are very interested in financial gain, and that’s the objective of their operations. Whereas hacktivists might have a different purpose: to cause disruption. The things we see hacktivists do are things like denial of service attacks, where they make websites unusable; or they might deface websites, put their own propaganda and post those images on websites…”

State actors target government and critical infrastructure as they spy on Australia, the ASD warns. In recent years, there have been cyberattacks on Australian ports, on the Nine Network, and on major political parties, allegedly by countries like China, Russia or North Korea, the media has reported.

Business

More than half of Australia’s businesses are concerned about keeping their businesses cybersecure, according to a survey by the Council of Small Business Organisations Australia (COSBOA), CyberDaily.au reported. Forty-four per cent of small businesses had experienced a cyber-attack; 43 per cent of cybercrime targets small business; and it is the top two risk reported by small business, COSBOA noted in a submission to the Federal Government this month.

The top three cybercrime types for business, according to the ASD, are business email compromise, email compromise, and online banking fraud. Cybercriminals, Ms Crowe explained, send fraudulent invoices to organisations and set up a bank account for those entities to pay them, or they run low-level spear phishing attacks: social engineered emails that entice users to click on links that target their interests or their financial areas of expertise.

“It’s relatively unsophisticated tradecraft,” Ms Crowe said, “and we see a lot of entities experience these, either because users aren’t educated in their organisations about the threats of cybercrime, and so clicking on links seems like an easy thing to do; or individuals in the invoicing and business part of entities just want to respond quickly to invoices and bills as they come in. Some of these can be very sophisticated invoices that are fraudulent, that can trick people into paying bills.”

Unsophisticated those techniques may be, but many businesses fall for them; on average, they cost small businesses $46,000 and medium businesses $97,200 in 2022-23. Business email compromise alone cost Australian businesses $80 million, or $39,000 on average. Cyberattacks can result in significant financial loss, reputational damage, and ongoing attempts by hackers to gain access to network.

“Small businesses have lost a lot of money, some of them to the point of not being able to operate anymore, and a lot of reputational damage can come out of cybersecurity incidents from the customer perspective of no longer willing to trust that entity with their data,” Ms Crowe said.

“In the big incidents that we’ve seen in Australia” – one thinks of the Optus and Medibank data breaches in 2022 – “the theft of PII [personally identifiable information] and then managing the aftereffects of that is quite significant. There are entities that had cybersecurity incidents two to three years ago that are still suffering the impacts of having an adversary compromise their network. The hacker is trying different ways to get back into the network because they’ve been there before and know what it looks like.”

To protect themselves from cyberattacks, businesses should focus on basic cyber-hygiene practices, Ms Crowe recommends.

“The majority of the incidents that ASD has reported to it … could have been avoided by using basic measures like strong passwords, strong passphrases, and implementing multifactor authentication,” Ms Crowe said.

However, COSBOA’s Cyber Wardens program revealed today, half of small business cyber defences lack multi-factor authorisation; many businesses share passwords; half have not updated their cyber security software; and only half back up their data every day.

Businesses should also be prepared for cyberattacks, such as ransomware or data breaches.

“We’re living in a world now where cyber-incidents are inevitable,” Ms Crowe said. “You can do a lot of technical controls to prevent cyber-incidents, but you also have to be prepared for what you do when it goes wrong, how you recover your data, how you notify impacted customers that you’re servicing of an incident, but also how you operate your business in the event of a significant incident like ransomware, where you might not be able to operate.”

The ASD has advice on how entities can prepare, and last year released Business Continuity in a Box, designed to spin up new IT environments for organisations to operate from while they are impacted by cyber-incidents.

Individuals

Australians lost more than $3 billion to scams in 2022 – an 80 per cent increase since 2021, according to the Australian Competition & Consumer Commission. Individuals are most often targeted through identity fraud; online banking / shopping fraud; and investment fraud, the ASD states.

Cybercriminals use stolen credentials (username and password) to commit fraud, trying to use them with other websites. “A lot of the time, they’ll see success, because people are reusing the same password,” Ms Crowe said. Or large companies or firms that hold credit card data within their systems will be compromised.

“Resetting your password regularly, not using the same password across multiple accounts is one of the basic things people can do that would prevent a lot of this activity,” Ms Crowe said.

ASD’s free advice program

The ASD’s Cyber Security Partnership Program offers free tailored advice for individuals, small businesses, and large organisations to protect themselves from cyber threats, including how to protect your personal device, configuring secure clouds from which to operate businesses, or tradecraft to detect malicious activity.

So far, more than 11,000 partners – including 3,000 businesses – have joined the program, “getting good advice and starting to implement that across their networks”, Ms Crowe said.

“We’ve had agencies joined that have received advisories and products from ASD,” Ms Crowe said. “They’ve looked at those in the context of their environment and either detected malicious activity and worked with us to respond to that, or they’ve identified vulnerabilities in their environment that they’ve needed to improve to harden and defend themselves against adversary activity out there on the internet.

“On the individual and small business side, we’ve had lots of good feedback. We work closely with entities such as COSBOA, who have really valued from things like our small business cloud guidance to help entities set up their own secure cloud environment if they’re operating in those environments.

“So there’s a lot of success out of the partnership program in giving the right advice to the tailored audiences that we service.”

Ms Crowe encourages businesses and individuals to join the program.

“A lot of people tend to see this stuff as super-hard,” she said. “Our website is full of free advice; it’s super-easy; it’s tilted at households and people at home. It’s really easy to follow, and it’s free. Just take the time to go and have a look.”

They can also call the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371). A team of technical resources and experts are available to answer their questions anytime and provide whatever advice they need.

“It’s all about the hygiene and getting the basics right,” Ms Crowe said. “There’s a lot of focus on what type of technology do we buy, how much do we invest in certain capabilities. Actually, if entities, all the way from individuals to large organisations, focused on basics for their environment – individuals, for example, focusing on making sure they’re protecting themselves by enabling things like automated updates on their devices, all the way through to large organisations looking at products like ASD’s Essential Eight mitigations – that would protect them from 90 per cent of the incidents we receive on a daily basis.

“That hygiene spectrum across all parts of organisations [is] really important, and would actually prevent the majority of things that keep us busy responding to on a daily basis. So just like you would have good safety getting into a car and putting your seatbelt on, the same can be said when you’re logging in to use the internet.”