The Australian Signals Directorate’s annual threat report has revealed a nine per cent increase in ransomware attacks for the year, as parliament seeks to urgently pass new cyber security laws.
The Australian Signals Directorate received an average of 100 calls per day relating to cyber incidents in the past year, with extortion-based activities like ransomware increasing by 9 per cent.
The ASD’s annual threat report, released today, detailed several trends in the Australian cyber landscape, including a rise in extortion activities and state-sponsored attacks on Australian critical infrastructure.
Around 11 per cent of the 1,100 incidents the ASD responded to included ransomware, a three per cent increase on the previous year.
Incidents targeting government bodies accounted for just under half of all incidents (federal 37 per cent, state/local 12 per cent), although the more stringent reporting requirements of government bodies versus non-government bodies may have influenced this.
Healthcare and social assistance were the most targeted non-governmental sector, accounting for 6 per cent of all cases.
The average loss of a cyber-attack on small business rose eight per cent to $49,615, while the cost for medium business was down 35 per cent to $62,870, and large business down 11 per cent to $63,602.
The ASD responded to 53 denial of service (DoS) or direct denial of service (DDoS) attacks, a 15 per cent decline on the previous year.
The report also identified an increase in politically motivated cyber activity – particularly around the ongoing Israel-Hamas conflict.
In his foreword of the report, Defence Minister Richard Marles highlighted the prevalence of state-sponsored incidents.
“Malign actors – both state and non-state – are improving their cyber capabilities, increasing the risk of disruptions to Australia’s critical systems, infrastructure and networks,” he said.
“Grey-zone activities have also expanded in the Indo-Pacific, with malicious cyber actors continuing to conduct espionage and spread disinformation.”
Another trend observed in the report was the increase of artificial intelligence in the cybercrime landscape.
The report gave an example of a vishing scam – video phishing – in which a multinational company was targeted by cybercriminal using deepfake AI videos of its chief financial officer to convince an employee to transfer millions of dollars to the criminals.
Quishing has also become a problem – the use of QR codes to trick people into providing personal information or downloading malware onto smart devices.
In late-2023 an Australian Tax Office was impersonated in a quishing scam, in which an email informed people they must update the multifactor authentication on their myGov account.
The email included a QR code to a fake myGov login page, designed to steal victim details – and then used to change bank details so payments were redirected to the scammer’s accounts.
The release of the report comes after, yesterday, the Parliamentary Joint Committee on Intelligence and Security recommended the Cyber Security Bill 2024 be passed “urgently”.
The Bill seeks to establish minimum cybersecurity standards for smart devices, create a cyber incident review board, and introduce mandatory reporting for businesses that pay a ransom because of a cyber incident.
It also aims to empower government to direct entities to rectify significant deficiencies in their risk management programs.
The one caveat to the Joint Committee’s recommendation to urgently pass the bill was for mandatory reporting of ransomware to “apply only to the extent that a ransomware incident relates to the reporting business entity’s operations in Australia”.
The Joint Committee recommended mandatory reporting of ransomware payments only apply to businesses with $3 million turnover or more.
When introducing the Bill last month, Cyber Security minister Tony Burke said the legislation was long overdue.
“Australians love the convenience of smart devices at home, but consumers need to know that smart devices are still safe devices,” he said.
“We know government has to lead the way on cyber, but we also know we can’t do it alone, which is why these new laws have been consulted extensively with business.
“This legislation ensures we keep pace with emerging threats, positioning individuals and businesses better to respond to, and bounce back from cyber security threats.”
The release of the report and pressure to pass the bills come after the Actuaries Institute warned Australian small and medium businesses were being left behind in the fight against cyber attacks.
In its dialogue paper, Cyber Protection Gap Widens for SMEs, the institute said there was a growing gap between corporations and the 3 million SMEs in terms of preparedness for a cyberattack.
Paper author Win-Li Toh, a principal at actuarial consultancy Taylor Fry, said a series of cyber-attacks in the past two years had provided a wake-up call for corporate Australia, but SMEs had not followed suit.
“SMEs often haven’t had the bandwidth or opportunity to really understand and tackle the risks,” she said.
“Many have put cyber into the ‘too hard’ basket, because they’re daunted by the technical jargon and don’t know where to start with implementing cyber security measures.
“Another barrier is the cost associated with cyber security when SMEs are battling challenging economic conditions.
Ms Toh said many SMEs mistakenly believe they’re too small to be targeted by cyber criminals.
“They don’t realise a serious cyber incident could cause their business to collapse,” she said.
Ms Toh – who is also the incoming president of the Actuaries Institute – said with 62 per cent of SMEs reporting a cyber incident, a concerted effort was needed to bridge the cyber protection gap.
“Given SMEs are the lifeblood of our economy, employing up to a third of our workforce, and cyber risks are always changing, they shouldn’t be depending on luck to protect them from a cyberattack – they need to depend on knowledge, good cyber hygiene and robust cyber defences,” she said.
“SMEs are our real estate agents, our mortgage brokers, our doctors’ practices and our pharmacists.
“They often have sensitive and personal information, and a cyberattack could have a big impact on any one of them and broader society.”
