The ACSC’s 2023 reporting period covers July 2022 to June 2023 and provides detailed statistics and insights into the cyber security threat landscape in Australia.

In a challenging year, during the reporting period Optus, Medibank Private, Latitude, Woolworths, HWLE, Pizza Hut and Dymocks all reported significant cyber incidents that exposed Australian personal and sensitive data.

The volume of incidents was relentless. Key statistics include:

• More than 94,000 cyber incidents reported (up 23 per cent from the year prior) and more than 33,000 calls to the Australian Cyber Security Hotline.
• This equates to one report every six minutes, an increase from one every seven minutes in FY22-23 and one every eight minutes in FY21-22.
• Small businesses are overrepresented in cyberattacks, reporting 92.6 per cent of all business incidents.
• Small business also reported an increase to $46,000 (an increase of 19 per cent from FY22-23). The cost of this can be crippling, leading to business closure and job losses.
• The burden of cybercrime is felt most by medium businesses, with the average cost per reported cybercrime at $97,200 (an increase of 11 per cent from FY22-23).
• Large businesses reported losses of $71,600 per cybercrime, a smaller relative financial impact considering their resources.
• The top three types of cybercrimes reported by businesses were email compromise, business email compromise fraud, and online banking fraud. These represented 51 per cent of all reported cases by businesses.

While the ACSC Report is based on reported incidents, recent research estimates that the true figure could be up to 12.7 times higher (more than one million cybercrimes).

The report highlights that businesses cannot be complacent around updating (patching) their digital devices. Twenty-one per cent of hacks occurred within 48 hours of a software vendor reporting a vulnerability.

In an industry briefing, Australian Signals Directorate (ASD) noted that companies are reporting incidents through legal counsels, which reduces the speed and volume of information provided. This means information may be too late to share anonymously with industry partners to prevent similar attacks. ASD is advocating for 'Safe Harbour' laws that provide legal protections for companies that share information with ACSC while responding to a cyberattack.

ASD notes that going forward, Australia continues to be a tempting target due to our relative wealth, high levels of online connectivity, and increasing delivery of services through online channels. These factors combined with the amount of insecure digital devices each individual uses make Australian profitable for cybercriminals.

The geo-political situation, comprising the AUKUS alliance with its associated valuable military intellectual property (e.g. nuclear energy) coming to Australia, also amplifies Australia as a target.

What is Australia doing about it?

In a recent ASD forum discussing the report, a major cyber stakeholder posed the question: “Is Australia the most hacked nation in the world?”.

ASD noted the general threat landscape and its initiatives to reduce the prevalence of cyber incidents. During the reporting period, ACSC-led initiatives saw the ASD Cyber Security program grow to 110,000 partners, the Protective DNS system blocked 67 million malicious domain requests, 127,000 attacks against Australian servers were blocked, 33 per cent of ASX200 boards were briefed, and 20 cyber security exercises undertaken.

Under the $9.9 billion REDSPICE initiative, Australia’s cyber spy agency will double its personnel over the coming years, fortifying Australia’s sovereign cyber defense capability.

The highly-anticipated 2023-2030 Australian Cyber Security Strategy is expected before the end of the year and will detail a vision for how Australia will be the most cyber secure country in the world by 2030.

Deputy Prime Minister and Minister for Defence Richard Marles said: “The Annual Cyber Threat Report demonstrates how governments, businesses and critical infrastructure networks have been targeted by state and non-state actors, with the aim to destabilise and disrupt.

“The report underscores the importance of ASD’s work in defending Australia’s security and prosperity and reinforces the significance of investment in ASD’s cyber and intelligence capabilities under Project REDPSICE.”

Victorian Chamber advocacy

The Victorian Chamber has provided detailed industry insights to the Minister’s office to help shape the 2030 Strategy through our Cyber Security and Scams Policy Position. Our Policy Position, developed through extensive consultation with small, medium and family businesses, telcos, social media platforms, health providers, education institutions, banks and other critical infrastructure, contains 24 ‘game-changers’ to protect businesses from cyber threats.

Victorian Chamber Executive Director of ICT Glenn Goodwin said: ”The ACSC Annual Cyber Threat Report is uncomfortable reading. Through our recent cyber policy position development, we have heard from businesses that have experienced cyber incidents.

“Behind each statistic is a business who has experienced suffering often in isolation. Thankfully by the ACSC providing this fourth annual report, we can accurately assess the scale of the problem and therefore adequately resource and commence to resolve the issues.”

Practical advice

• ACSC reports that most incidents would be prevented if simple preventative measures were in place like MFA, patching and backups. The Victorian Chamber has provided some quick explainer videos to get you started on these preventative cyber practices.
• Get foundational cyber knowledge by undertaking VCCI’s Cyber Security Essentials for Business self-paced learning.
• Get our free Small Business Cyber Security Checklist to review your cyber defenses.