Cyber crime

Why is Australia failing to stop cyber-crime?

Niek Dekker
4 Min

Australians spent $5.6 billion on cybersecurity products and services in 2020, according to industry body AustCyber. And that figure is likely to rise.

So, with Australians spending more than ever on cybersecurity, the number of cyber-incidents should be decreasing… right?


Reports of cyber-attacks keep growing year-on-year. High-profile attacks, like Optus and Medibank, demonstrate that cyber-attacks are having a devastating impact on Australia. Targeted organisations can face massive losses, while millions of individual customers suffer the consequences of stolen personal information.

All this begs the question: why, despite record spending, is Australia failing to stop cyber-crime?

At least part of the answer may lie in the fact that our cybersecurity approaches don’t always match up with the most common types of cyber-crime.

Cybersecurity versus cyber-crime

The Australian Cyber Security Centre (ACSC) defines the term “cybersecurity” as the measures used to protect the confidentiality, integrity and availability of systems, devices and the information residing on them.

However, if you take a look at the most recent Annual Cyber Threat Report by the ACSC, you’ll notice something interesting. In the vast majority of cyber-crimes reported to the ACSC over the last 12 months, the goal was not to compromise the confidentiality, integrity and availability of systems, devices or information.

Instead, the goal was to steal money.


ACSC: Cyber-crime reports by type for financial year 2021-22

The top eight reported cyber-crimes were all financially motivated. Together, they represent over 83% of all cyber-crimes reported to the ACSC last financial year.

Number Cyber-Crime Percentage of Overall
1 Fraud 26.9
2 Online Shopping Scams 14.4
3 Online Banking Scams 12.6
4 Investment Scams 12.2
5 Business Email Compromise Scams 6.12
6 Online Selling Scams 4.36
7 Bulk Extortion 3.93
8 Romance Scams 3.01
TOTAL 83.52

Often, cybersecurity is focused on protecting data and the associated ICT systems, yet the cyber-criminals are overwhelmingly focused on the money.

In other words, out investments in cybersecurity products and services aren’t aligned with the actual threats – or what’s motivating them.

Developing a cyber-crime strategy

Organisations are starting to focus even more on their cybersecurity strategies. They’re routinely penetration-testing their environment, developing comprehensive information security policies and investing in systems like multi-factor authentication. All of this helps protect against data breaches and security threats.

These initiatives can definitely make life harder for hackers, but they aren’t directly focused on safeguarding your financial assets. Sure, protecting your money will be a by-product of all these initiatives, but these cybersecurity initiatives don’t do much against the tsunami of financially motivated scams currently drowning Australians.

Protecting your money from financially motivated cyber-criminals requires a different approach. It requires a comprehensive cyber-crime strategy.

What is a cyber-crime strategy?

A cyber-crime strategy shares a lot of elements of a cybersecurity strategy. For example, strong user access controls are an essential feature of both. By restricting access to systems to those who absolutely need access, you can help protect both your data and your finances.

What sets a cyber-crime strategy apart from your cybersecurity strategy is that it helps you stop scammers who are using digital systems to trick people into handing over money. And, as we can see from the statistics above, financially motivated cyber-crimes represent the overwhelming majority of cyber-crimes.

A cyber-crime strategy brings together elements of your cybersecurity strategy and your financial controls. It recognises the importance of information security but also recognises the importance of robust financial controls, like segregation of duties.


How can a cyber-crime strategy stop financially motivated cyber-crime?

Take Business Email Compromise, or BEC, as an example.

BEC attacks cost Australians over $98 million last financial year, with the average amount lost in a BEC scam soaring to over $64,000.

BEC involves attackers getting access to an executive’s email account, before using it to send emails to Accounts Payable (AP) staff with instructions to make illegitimate payments, often to fictitious suppliers. While your cybersecurity strategy should prevent scammers from accessing the email account in the first place, we know that no cybersecurity strategy is foolproof. And no matter how strong your cybersecurity strategy might be, you have no oversight or guarantees when it comes to your suppliers’ security practices.

Stopping BEC requires more than simply protecting your email accounts from unauthorised intrusion. It also requires strong financial controls to ensure that:

  1. One AP officer enters payment requests into your system, but another AP officer actions the payment (segregation of duties), and
  2. All outgoing payments are double-checked through call-backs

By ensuring you have both strong cybersecurity measures and robust financial controls, you can protect your organisation from rising cyber-crime.

Find out how to develop and implement your own cyber-crime strategy
Ready to learn more?

Our Cybersecurity Guide for CFOs dives deeper into what’s fuelling new cyber-crimes and provides practical guidance for implementing your own cyber-crime strategy.

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.