Only 8 percent of reported online attacks on businesses have resulted in a criminal being charged, according to the results of Australia's first Cyber Crime and Security Survey (PDF).
The survey was commissioned by Computer Emergency Response Team (CERT) Australia and conducted by the Centre for Internet Safety at the University of Canberra. It was sent to 450 companies that are CERT Australia stakeholders.
Despite it being the first year, the Attorney-General's Department said in a media release that online attacks are becoming increasingly targeted and coordinated. It cited results of the survey, which showed that 20 percent of respondents experienced an attack in the past year.
The survey found that attackers are typically getting away with no recourse. About 44 percent of breached organisations opted not to report a security breach. When questioned as to why, 20 percent said they were afraid of negative publicity.
About 74 percent thought that the security issue didn't warrant an investigation by law, but 35 percent didn't think law enforcement could do anything, and 26 percent thought that an investigation would be useless in catching the perpetrators.
The thinking of the latter organisations may have been the most accurate; of victims that did report cybersecurity incidents, just 8 percent resulted in a person being charged.
Of those that did report a breach, 33 percent of reporters said their allegations were not investigated, and 29 percent never heard back about what happened to their investigation.
Attackers have been gaining access primarily through automated attack tools, or taking advantage of the fact that the organisation had unpatched or unprotected software vulnerabilities, or misconfigured their operating systems, applications, or network devices. A further 20 percent of the victims reported having experienced more than 10 security incidents.
However, the victims have typically been making an effort to boost their security; half of all breached organisations reported increasing their spend on IT security in the past 12 months.
Additionally, over 90 percent of all organisations surveyed reported using firewalls, anti-spam filters, and antivirus software, and nearly two thirds use IT security-related standards.
Australian Attorney General Mark Dreyfus said that the inaugural survey report would provide a useful foundation from which to judge how online attacks on businesses are changing.
"Year on year, we're going to be able to carry out this survey again, [and] examine from this baseline whether or not there's a change in the nature of cyberattack, change in frequency or scale or intensity of cyberattack, and take appropriate remedial action," he said at its launch on Monday.
Despite the poor performance of law-enforcement agencies at catching those responsible for online attacks, Dreyfus encouraged businesses to better engage CERT Australia.
"The reason for setting up CERT Australia is to make sure that business understands that there is somewhere to go to, somewhere to complain to," he said.