A total of 1630 incidents were reported, with the categorisation ranging from 1 (most severe) to 6 (least severe). In 2020-21, there were no incidents that were in either category 1 or 2. But a higher proportion were classified as category 4 that in the previous financial year.
The highest number of reports of cyber crime during the financial year 2020-21 came from Queensland (30%), with Victoria just behind (29%).
The highest average financial losses were reported by victims in South Australia and Western Australia. Total losses totalled about $33 billion.
A graph showing the incidents during the two years, 2019-20 and 2020-21, indicated that there was a spike in April last year which was attributed to a bulk extortion campaign.
More than 1500 incidents related to the pandemic were reported every month, with three-quarters of them relating to the loss of money or personal information.
There were about 500 ransomware incidents reported, an increase of about 15% from the previous financial year. The report can be downloaded here.
Satnam Narang, staff research engineer at security shop Tenable, said the findings underscored much of what security professionals had been seeing and warning about.
"Cyber criminals are operating with a fierce determination now more than ever before," he said. "The COVID-19 pandemic and the shift to remote work has provided new opportunities to both scammers and financially-driven thieves alike.
"The 15% increase in ransomware attacks can be largely attributed to the rise in ransomware-as-a-service groups, which enables cyber criminals to make a significant profit, and the adoption of double extortion tactics.
"Not only do organisations have to worry about computers in their network being encrypted, but they also have to worry about ransomware groups stealing their sensitive data and threatening to publish them on the dark web if their ransom demands are not met. Ransomware has always been considered a prominent part of the game so to speak, but now ransomware has become the game."
Narang said some of the tried and true methods used by cyber criminals to target organisations were well-known: spearphishing via email, exploitation of unpatched or zero-day vulnerabilities and brute force attacks, including those targeting Remote Desktop Protocol.
"Despite this knowledge being widely discussed, we continue to witness cyber criminals successfully utilising these tactics. Readily available proof-of-concept exploit code typically provided for defenders is being routinely incorporated into toolkits by cyber criminals and used against vulnerable systems," he said.
"There are important lessons and reminders to be gleaned from the ACSC report and one of which highlights the importance of cyber hygiene. This includes identifying all vulnerable assets within a network and ensuring they are properly patched in a timely manner."
He suggested a number of steps that firms could take to avoid cyber disasters:
- Ensure multi-factor authentication is in use across the organisation.
- Have proper endpoint security and gateway security solutions in place.
- Provide cyber-security awareness training to your employees on a regular basis.
- Ensure that offline back-ups are available and tested.
- Regularly audit the permissions on user accounts to ensure ghost accounts aren't still available on your systems and that permissions are not too lax.
- And finally, have an incident response plan in place and perform tabletop exercises to ensure your organisation is adequately prepared to respond to an incident when it happens.
Matthew Lowe, area vice-president ANZ at IT service management vendor Ivanti, said “The ACSC took down over 100 malicious, COVID-themed, credential harvesting websites that were distributed not only through phishing emails, but also in the form of SMS and social engineering via messaging applications.
"These types of attacks target users on often forgotten about, less secure, and less actively managed devices that contain similar levels of access, data and therefore risk to an organisation — devices that are extremely common in today’s ‘Everywhere Workplace’.
“Adopting a zero trust model that takes into account the whole context of the user’s environment, and allows an organisation to identify the device, network, application and data before an access decision is made, is therefore key."
Lowe said the the ACSC’s Essential Eight recommendations were still the best baseline for any organisation to mitigate threats outlined in the report.
“While any organisation would benefit greatly from aligning with these recommendations, medium and large-sized organisations, schools and universities, state government agencies and supply chains — that is, those groups that have been primary targets for incidents in the ACSC’s reports — should absolutely prioritise this," he emphasised.
“On a positive note, a recent Ivanti survey of Australian CISOs revealed that 100% of respondents intend to align their cyber-security efforts with the Essential Eight within the next 12 months.”
Raymond Maisano, head of ANZ at Web performance and security company Cloudflare, said: "The shift to remote work has made the corporate perimeter more difficult to control. IT departments are now managing complex, conflicting configurations across VPNs, firewalls, proxies and identity providers, while often not restricting lateral movement of devices.
"Well-meaning employees are connecting to corporate networks via shared Wi-Fi services that may or may not be secure, and potentially using their devices for everything—work, recreation, social media, online shopping and more.
"With Australian businesses more exposed, they are experiencing an increase in cyber threats and cyber crime, including phishing, infected malware and man-in-the-middle attacks.
"The solution is zero trust—enforcing consistent access controls across cloud, on-premise and SaaS applications and only connecting multi-factor authenticated employees to their required services, leaving room for zero lateral movements.
"By shifting to zero trust access for all applications, businesses can protect themselves from cyber threats like malware, ransomware, shadow IT, and other Internet risks over all ports and protocols, ultimately mitigating their risk of becoming a statistic in the next ACSC report.
Raj Samani, McAfee Fellow and chief scientist at McAfee, said: "Over the past 18 months, cyber criminals have become smarter and quicker to pivot their tactics alongside a whole host of new bad-actor schemes. If we look at the variants targeting Australia, based on the proliferation of victims based on the leak sites from ransomware operators we see Hive and Lockbit having compromised organisations in retail, IT, and the chemical sectors.
"What we're seeing is many of the usual ransomware techniques used by cyber criminals are linked to Web access – such as targeting Windows Remote Desktop Protocol, user execution, and exfiltration to cloud storage.
"On a cultural level, adopting a zero trust mindset can help businesses to maintain control over access to the network and all instances within it. Ultimately, Zero Trust demands constant verification as users access data, apps are installed, and information is shared."
H. Daniel Elbaum, chairman and co-chief executive of Australian cyber security company VeroGuard, said: "This assessment reflects a global vulnerability in critical infrastructure security. It is a result of organisations migrating to cloud-based operations that allows access to data and operations via open networks.
"It makes sense that business and government want to automate and leverage Internet-based open networks to support mobility, connectivity, and the flow of data. However, the current focus on software-based detection tools, two-factor authentication and biometrics as methods to secure access are clearly not closing the gaps in security when working over the Internet with the cloud.
"Greater than 90% of attacks and breaches are on users' identity and credentials as accessing a system remotely by assuming an authorised user's identity allows the cyber-criminal to remain undetected for an average of 207 days. This is the logical and only place to focus that action."