During these challenging times the Australian Cyber Security Centre (ACSC) has published its Annual Cyber Threat report. Its 74 pages reflect on the relatively innocent times between July 2021 and June 2022. Business-related highlights of the report are summarised below.

Cost of cybercrime

A widely reported headline is that a cybercrime is now occurring every seven minutes. This is accelerating as Australia is highly attractive to cybercriminals due to having the highest median wealth per adult in the world. Medium-sized businesses are suffering the most with an average cost of a reported cybercrime of $88,000, compared with large business at $62,000 and small businesses at $39,000.

Business email compromise

Business email compromise (BEC) is becoming a common attack – an example of which is an email is sent to a business with a fake invoice that is incorrectly paid. This now costs $64,000 per reported incidence, totalling AUD$98M in financial losses.

An example in the report states that a financial company incorrectly paid a legitimate looking $600,000 invoice. Only $140,000 was recovered. You can avoid being a victim by verifying requests for large payments and banking changes including calling a trusted number associated with the business, not the one on the invoice or email.

System vulnerabilities

Software and equipment are created with errors (known as bugs), and some result in security vulnerabilities, the critical ones being the most concerning as they can allow actors into your unpatched systems.

There was a reported 25 per cent increase in reported vulnerabilities by vendors resulting in 24,000 exploits. Malicious actors exploit the vulnerabilities more quickly – even within hours of a patch being available. To avoid being a victim, replace old systems and automatically patch everything as quickly as possible. ACSC is scanning government entities and Australian Internet connections (including businesses) looking for unpatched devices. They estimate that 200,000 home offices and small businesses have an internet setup that is vulnerable to hackers!

Your business could be next

Cybercrime-as-a-Service (Caas) and Ransomware-as-a-Service (RaaS) has lowered the barrier to entry for malicious actors, without technical skills, who now have an opportunity to launch sophisticated and profitable attacks.

Ransomware targets aren’t just large financial companies. The most common reported victims were from education and training organisations, making up 11 per cent of reports due to their open collaborative environments.

What you can do

All businesses need to prioritise cyber security. Those yet to start the journey need to urgently implement basic steps around adopting and reviewing multi-factor authentication, patching and backups of data. As a minimum, businesses should ensure that information and communication technology (ICT) departments have obtained ACSC (Australian Cyber Security Centre) Essential 8 Level 1 maturity and undertake an independent security assessment.

Given the statistics in the report, all businesses will either pay for cyber security as a victim or in prevention. Not addressing cyber security as a priority is a decision where you elect to be a victim.