$98m cybercrime epidemic hitting Aussie businesses

Cybercrime is on the rise in Australia with a federal government report revealing businesses were being hit every seven minutes in FY22, up from every eight minutes a year earlier.

The Australian Cyber Security Centre’s (ACSC) annual Cyber Threat Report 2021-22 reveals that cybercrime cost businesses $98 million last financial year, with medium-sized businesses the hardest hit.

Some 76,000 cybercrimes were reported during the year, an increase of 13 per cent on a year earlier, but medium sized business lost an average of $88,000 for every crime reported. This compares with $39,000 for small businesses and $62,000 for larger corporations.

“Over the 2021–22 financial year, the deterioration of the global threat environment was reflected in cyberspace,” says the report which was compiled with the assistance of the Defence Intelligence Organisation, Australian Federal Police, Australian Criminal Intelligence Commission and Australian Security Intelligence Organisation.

“This was most prominent in Russia’s invasion of Ukraine, where destructive malware resulted in significant damage in Ukraine itself, but also caused collateral damage to European networks and increased the risk to networks worldwide.

“In Australia, we also saw an increase in the number and sophistication of cyber threats, making crimes like extortion, espionage, and fraud easier to replicate at a greater scale.”

The ACSC report says cyberspace has become a ‘battleground’ with threats also identified from China and Iran over the past year.

“Regional dynamics in the Indo-Pacific are increasing the risk of crisis and cyber operations are likely to be used by states to challenge the sovereignty of others,” it says.

Fraud, online shopping and online banking were the most reported cybercrimes, accounting for 54 per cent of all reports during the year. The report also warns that between 150,000 and 200,000 small office and home office routers in Australian homes and small businesses are vulnerable to compromise.

The report says ransomware remains the most destructive cybercrime against businesses and it warns that critical infrastructure networks globally are increasingly being targeted.

“Both state actors and cybercriminals view critical infrastructure as an attractive target,” says the report.

“The continued targeting of Australia’s critical infrastructure is of concern as successful attacks could put access to essential services at risk. Potential disruptions to Australian essential services in 2021–22 were averted by effective cyber defences, including network segregation and effective, collaborative incident response.”

The report says the ‘rapid exploitation of critical public vulnerabilities’ has become the norm for organisations and individuals.

“Malicious actors persistently scanned for any network with unpatched systems, sometimes seeking to use these as entry points for higher value targets. The majority of significant incidents ACSC responded to in 2021–22 were due to inadequate patching.”

During the year, the ACSC says it took down more than 15,000 domains hosting malicious software that specifically targeted Australia’s COVID-19 vaccine rollout.

Although the ACSC estimates cybercrime to have cost Australian businesses $98 million last financial year, it suggests that this figure could be much higher.

“As the volume of cybercrime increases, cybercriminal methodology evolves, and digital transactions blur national borders, it is becoming increasingly difficult to accurately estimate the total cost of cybercrime,” the report says.