Suddenly, we hear more and more about cyber incidents. Medibank and Optus data breaches occupy the media headlines and it seems that large-scale cyber-attacks are happening all around us.
But a more alarming indication was given this week by the Australian Cyber Security Centre (ACSC) with the release of its third annual threat report, revealing that it received over 76,000 cybercrime reports last financial year – a 13 per cent increase from the year before. That’s a report every seven minutes, and that’s a lot, and it is comprised of incidents targeting various businesses and organizations, not just big ones. But this only tells a part of the story, as there is a consensus between experts worldwide that cybercrime is widely unreported (some estimate that reported cases amount to less than 5% of actual incidents). When we take these data points into consideration, we can safely assume that cybercrime affects the majority of organizations in Australia.
What kind of crimes are we talking about?
Type
The agency mentions several prominent crimes in its report. The most noticeable one is Ransomware, which marked a 75 per cent increase on the year before. This is likely due to the nature of this threat, which makes itself well known to the victims and thus is rather easy to detect. Ransomware affected the following sectors the most:
· The education and training sector (11% of all reported cases)
· Information media and Telecommunications (10%)
· Professional, scientific and technical services (10%)
· Government (8%)
· Healthcare and social assistance (8%)
If your organization is included in one of these sectors- take notice.
BEC and fraud were placed high on the list with about 54% of all reports including statements of Fraud in online shopping and online banking. BEC (Business email compromise) caused a staggering damage of $98 million in total (or an
an average loss of $64,000 per report)
Cost
The average cost of every cybercrime reported has also risen, but it had different impacts depending on the size of the business:
· $40,000 for small businesses,
· $88,000 for medium businesses
· $62,000 (and more) for large businesses.
Reasons
The report mentions the reasons for the increased cybercrime activity targeting Australian businesses are Australia’s wealth, high internet connectivity and business and investment structure (being very open and hence extremely susceptible to attacks and manipulation).
We can also speculate that the long-lasting impact of Covid19 on the economy, meaning more people working from their homes rather than the relative security of their offices, also increased the motivation and opportunity for attackers.
Additional reasons mentioned in the report are numerous software vulnerabilities being targeted faster and by more actors. Over 24,000 Common Vulnerabilities and Exposures (CVEs) were identified during 2021–22. Several critical and high-impact vulnerabilities stood out (such as vulnerabilities in Microsoft Azure, Log4j products) and these rapidly exploited- some in a matter of days since their publication. Organizations can’t control these vulnerabilities (only to patch quickly), but they can control their preparedness. Many businesses and organizations suffer from insufficient cyber awareness, which results in poor cyber measures being implemented, such as insufficient passwords, password reuse, mixing private and business accounts and credentials.
What’s next?
No one knows what the future stores, but it is safe to assume that cyber threats would only multiply. Recent events would surely have a profound impact on the proliferation of cyber crime. Of which, the stalemate in the Ukraine conflict means that cyber criminals (from both sides) now have more time to engage in pure “cyber criminal” activities (up until now- some of them were busy supporting their respective country’s fighting efforts).
In addition, the recently published data breaches are bound to morph into numerous smaller attacks, since the attackers now have the personal information of millions of Australians, and this data will surely be used for follow-up attacks and fraud attempts.
Conclusion
The ACSC has produced an incredibly sound and detailed report. This should be used to educate decision makers about the importance of cyber readiness and awareness in their organizations. By doing so, they can reduce the risk of their organization being part of the grim cybercrime statistics.
