It is not often in the cybersecurity realm that an indicator is headed in a happy direction, but that is what the overall incident number in the ACSC Annual Cyber Threat Report is doing.
For the 2020-21 fiscal year, the Australian Cyber Security Centre (ACSC) responded to 1,630 incidents, which works out to around 31 a week. Compared to the previous financial year, the total number of cybersecurity incidents in the 2020–21 financial year decreased by 28%.
Other good news included ACSC not having to respond to any incidents in the top third of its six incident grading categories. In the year prior, it reported a single category 1 incident and four category 2 incidents.
Now for the bad news that typically make up these reports.
In total, ACSC is seeing a higher category grade being the most reported, with category 4 replacing category 5. Category 4 accounts for 49% whereas last year it accounted for 35% of all incidents.
"The highest proportion of incidents the ACSC responded to related to low-level malicious activity such as targeted reconnaissance, phishing, or non-sensitive data loss, accounting for more than half of the cybersecurity incidents," the report said.
The report highlighted the increasing amount of financial losses related to business email compromises (BEC) despite the number of BEC incidents heading lower. Total losses hit to AU$81.5 million, an increase of 15%, and the average loss for each successful BEC transaction jumped 54% to AU$50,600.
ACSC highlighted the bankruptcy of the hedge fund Levitas after false invoices saw it transfer AU$8.7 million to malicious actors.
"While the business recovered the majority of its funds, it suffered significant reputational damage and its main client withdrew," the report said.
"This forced the hedge fund to go into receivership and resulted in its bankruptcy. This was likely Australia's first bankruptcy case as a direct result of a cybercrime incident."
The establishment of a multi-agency BEC taskforce under the Australian Federal Police dubbed Operation Dolos was able to prevent AU$8.5 million being lost to business email compromises.
"Despite the headlines, many of the compromises experienced by Australians will continue to be fuelled by a lack of adequate cyber hygiene. This delivers a significant advantage to adversaries and lowers the technical barrier to targeting victims in Australia, highlighting the need to uplift cybersecurity maturity across the Australian economy," the ACSC said.
"Given the prevalence of malicious cyber actors targeting Australian networks -- which is often under-reported to the ACSC -- there is a strong need for greater resilience, and for Australian organisations and individuals to prepare to respond to and recover from any cyber attack to their networks."
In an area that the Australian Labor Party enjoys banging on about -- ransomware -- the report said there was a 15% increase to almost 500 ransomware reports for the year.
Shadow Assistant Minister for Cyber Security Tim Watts took the opportunity to have another whack at the government.
"The Morrison-Joyce Government has utterly failed to take meaningful action to prevent ransomware attacks on Australian organisations despite twelve months of warnings," he said.
"But while the Morrison-Joyce government never misses an opportunity for a dramatic press conference on cybersecurity, it's missed every opportunity to take the basic actions needed to combat the urgent threat of ransomware despite growing warnings.
"Instead, it's simply blamed the victims, telling businesses it's up to them to protect themselves against increasingly sophisticated and well-resourced cyber-criminals."
In total terms, ACSC said it experienced a 13% increase in cybercrime reports over 2020-21 to 67,500, with its report per minutes metric dropping from one report every 10 minutes down to every 8 minutes.
"A higher proportion of cybersecurity incidents this financial year was categorised by the ACSC as 'substantial' in impact. This change is due in part to an increased reporting of attacks by cybercriminals on larger organisations and the observed impact of these attacks on the victims, including several cases of data theft and/or services rendered offline," the report said.
"The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations. The accessibility of cybercrime services -- such as ransomware-as-a-service -- via the dark web increasingly opens the market to a growing number of malicious actors without significant technical expertise and without significant financial investment."
Going against the population distribution in Australia, Queensland led the way on cybercrime reports followed by Victoria, New South Wales, Western Australia, and South Australia. Although trailing on the absolute numbers, WA and SA reported higher average financial losses. Overall, self-reported financial losses topped AU$33 billion.
The report was also far from rosy on the outlook of supply chain compromises like those involving SolarWinds and Microsoft Exchange, describing them as "the new norm".
"Over the next 12 months, additional supply chain compromises will likely come to light, major vulnerabilities will continue to emerge and Australia will experience more major financially motivated cyber incidents, some of which could disrupt critical services," it said.