Cyber breaches are rampant and there are many reasons why Australia is a soft target for cyber crooks.
The Australian Cyber Security Centre’s (ACSC) latest annual report for the year to June 2022 shows Australia experienced an increase in the number and sophistication of cyber threats, making crimes like extortion, espionage and fraud easier to replicate at a greater scale.
The ACSC, a division of the Australian Signals Directorate, received more than 76,000 cybercrime reports, up nearly 13% on the previous financial year. That equates to one report every seven minutes, compared to every eight minutes in 2020-21.
High-profile cases that have made the news in Australia include Optus, Medibank Private, Meriton, CBA, IPH Ltd and Latitude Financial. Many occurred after the ACSC report’s data, which suggests the situation is likely to be much worse when ACSC releases the 2022-23 report.
The Medibank Private hack alone resulted in the personal details of 9.7 million current and former customers being leaked.
A report released late last year by the Australian National University (ANU) suggests one in three Australian adults have been exposed to data breaches in the last 12 months.
ANU’s survey of almost 3,500 adults during October 2022 (before the Medibank Private hack) found 32.1% said they or a member of their household had been the victim of a data breach.
Study co-author Professor Nicholas Biddle said the survey’s findings showed cyber attacks were one of the fastest growing types of crime Australians now face.
“Roughly-one third of adult Australians, or about 6.4 million people, have been the victim of a breach in the last 12 months,” Professor Biddle said.
“In comparison our survey found only 11.2% of Australians had been the victim of serious crimes like burglary or assault in the last five years.
“As our lives become more dominated by data, so too does our exposure to data-related crime. This needs serious attention.”
Journalist John Davidson, writing in the Australian Financial Review this month, said Australia has a poor reputation for cyber security, partly due to:
- Complex and unnecessary data-retention laws and poor document-destruction practices make Australian organisations data-rich targets for cyber criminals.
- Outmoded privacy laws make it difficult for Australians to sue companies that are negligent in handling sensitive personal data.
- Many Australian boardrooms only started recognising the threat of cybercrime when Optus, then Medibank Private, were struck by “reputation-shattering” data breaches towards the end of 2022.
JMD Ross recommends all organisations implement ACSC’s essential eight mitigation strategies, which set a baseline to make it much harder for adversaries to compromise systems.