The latest annual report from the Australian Signals Directorate (ASD) has detailed the persistent threat that Australian businesses face from cybercrime.
While the number of reported cybercrimes in this financial year – 87,400 – decreased by 7% from FY2022-23, the number of calls to the Australian Cyber Security hotline increased to 100 per day – up from 90 in the previous report.
While the number of cybercrimes may have decreased slightly – potentially illustrating businesses and individuals are becoming a little more switched on to the threat – the financial impact of many incidents is increasing. Small businesses, in particular, are paying a heavy price.
Don’t have time to read the full report? Here are some of the most important findings for finance and accounts payable teams.
Business email compromise (BEC) – when a scammer either sends an email pretending to be from someone else, or infiltrates a business’s email system to send fraudulent emails to trick someone into sending money or revealing sensitive information – was one of the biggest cyber security threats to Australian businesses in the 2023-24 financial year.
Almost $84 million was lost by businesses through BEC scams – an average of $55,000 per business, which is up from $39,000 last year – while a further 20% of reported cybercrime came from BEC scams with no financial loss.
BEC scams that resulted in financial losses accounted for 13% of reported cybercrimes.When you add those figures together, 33% of the reported 87,400 scams were BEC – which illustrates the scale of the threat.
Online banking fraud, meanwhile, was also in the top three reported cyber security threats, accounting for 13% of cyber security breaches.
For large and medium-sized businesses in Australia, the average cost of a cybercrime incident decreased in FY2023-24.
For large businesses, the average cost was $63,300 (down 11%), while for medium-sized businesses the average cost was $62,800 (down a huge 35%).
This potentially illustrates an increased awareness, and more refined systems and processes to reduce the cyber risk – although it’s important to note these losses are still significant and an ever-evolving threat.
For small businesses, however, it was a different story. The average self-reported cost of a cybercrime incident to a small business was $49,000 – up 8% on last financial year.
This underlines that small businesses are as valuable a target for cybercriminals as their larger counterparts, and suggests that small businesses have work to do in terms of cyber security.
The reality is that while a $60,000 loss for a big business would make an impact, it’s unlikely to cause lasting damage. A $49,000 loss for a small business could be terminal.
Personal and financial information is incredibly valuable on the dark web or for use in future cyber attacks – and in FY2023-24 there was a 39% increase in isolated data compromises. This is when a specific dataset, or a limited portion of information within an organisation is stolen without causing broader system disruptions.
This is a significant threat for Australian businesses, as often these incidents can look relatively small-scale, and don’t cause major immediate damage.
They do, however, create a significant downstream risk, and their increased prevalence suggests cybercriminals may be operating in a more pragmatic fashion – taking smaller pieces of information more often, rather than carrying out larger-scale attacks.
Extortion-related incidents (when malicious actors use threats, coercion or manipulation, such as revealing data, disrupting services or causing reputational harm) increased by 9% in FY2023-24.
Of these, 71% were ransomware attacks – where malicious software encrypts data or systems, and the malicious actor demands a payment for decryption and/or to prevent the data being released publicly. Overall, 11% of all cybersecurity incidents came from ransomware attacks, and the ASD strongly advises against paying ransom demands, as it perpetuates cybercrime.
The ASD categorises cyber incidents on a scale of Category 1 (C1, most severe) to Category 6 (C6, least severe), based on both impact and the significance of the organisation’s impact to Australia.
In FY2022-23, C3 incidents – which typically affect organisations such as federal and state governments, large businesses, academia and supply chains – most commonly involved compromised accounts or credentials (23%), malware infection other than ransomware (19%) and compromised assets, networks or infrastructure (18%).
In FY2023-24, however, assets, networks or infrastructure were more frequently compromised than accounts or credentials, showing that cybercriminals are evolving and adapting their methods to gain access to systems.
For businesses, this underlines the importance of keeping systems and software patched and up to date, and staff educated on the different types of cyber threats that businesses are facing.
On an individual level, the top three cyber security challenges remained unchanged in FY2023-24, with identity fraud accounting for 26% of reported cybercrimes for individuals. Online shopping fraud (15%) and online banking fraud (12%) completed the top three.
The ASD recommends that to mitigate cyber security threats, businesses and organisations should:
The ASD report says:
“Cyber security is not set-and-forget. Organisations should consider replacing unsupported information and communications technology (ICT) systems with secure-by-design products, consider cyber security when implementing new technologies and follow ASD’s best-practice cyber security advice, such as the Essential Eight. Regularly updating and applying ICT best practice builds resilience now and into the future.”
All the news, tactics and scams for finance leaders to know for November / December 2024.
Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all …
Discover key insights from the OAIC report on data breaches, including the impact of human error and strategies for CFOs to protect their organisations.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.
