Insights from the Latest ASD Report on Critical Threat Trends

Between 2022 and 2023, the Australian Signals Directorate (ASD) reported 94,000 cybercrimes, marking a 23% increase from the past financial year.

It's no secret that cybercriminals are becoming more capable and daring in their attacks, as evidenced by the weekly reports of major breaches in national news. The ASD receives a cybercrime report every six minutes, and there has been a notable 32% surge in calls to the Australian Cybercrime hotline in 2023.

In light of these alarming statistics, it is imperative for organisations, regardless of size, to prioritise the fortification of their defences. 

Acknowledging cybercrimes status as one of the most immediate and high-impact modern-day threats to Australia, the recent ASD Cyber Threat Report, reviews, analyses and provides uncomplicated but necessary measures for businesses of today to implement and best safeguard.

What impact is cybercrime having on Australian businesses?

It's evident that the impact of attacks on Australian businesses has become increasingly severe, with many high profile attacks being publicised in the media in recent times, including port management company DP World, Optus and Pareto Phone.

According to the recent ASD Cyber Threat Report, the average self-disclosed expense incurred by businesses due to cybercrime has risen by 14% compared to the same period last year. The following three categories of business figures outline what one can anticipate in the event of an attack.

• $46,000 for Small Businesses
• $97,200 for Medium Businesses
• $71,600 for Large Organisations

This, of course, can be incredibly disruptive and damaging to any business, with large financial costs, the cost of downtime and data loss, and the long term effects of reputational damage having to be recovered.

Common Cybercriminal Techniques

According to the Cyber Criminal review within the ASD Cyber Threat Report the top six techniques that cybercriminals use are:

1. Phishing - an attempt to trick recipients into clicking on malicious links or attachments to harvest
   sensitive information, like login details or bank account details, or to facilitate other malicious
   activity. Spear phishing is more targeted and tailored: cybercriminals may research victims using
   social media and the internet to craft convincing messages designed to lure the specific victim(s) in.
   
   
2. Ransomware - a type of extortion that uses malware for data or system encryption. Cybercriminals
   encrypt data or a system and request payment in return for decryption keys. Ransomware-as-a-Service
   (RaaS) is a business model between ransomware operators and ransomware buyers known as
   ‘affiliates’. Affiliates pay a fee to RaaS operators to use their ransomware, which can enable affiliates
   with little technical knowledge to deploy ransomware attacks.
   
   
3. Data-theft extortion - does not require data encryption, but cybercriminals will use extortion tactics
   such as threatening to expose sensitive data to extract payment. The added threat of reputational
   damage is intended to pressure a victim into complying with the malicious attackers demands.
   
   
4. Data theft and on-sale - when data is extracted for use by a cybercriminal for the purpose of
   on-selling the data (such as personal information, logins or passwords) for further criminal activity,
   including fraud and financial theft. 
   
   
5. Business Email Compromise (BEC) - a form of email fraud. Cybercriminals target organisations
   and try to scam them out of money or goods by attempting to trick employees into revealing
   important business information, often by impersonating trusted senders. BEC can also involve a
   cybercriminal gaining access to a business email address and then sending out spear phishing
   emails to clients and customers for information or payment.
   
   
6. Denial-of-Service (DoS) - designed to disrupt or degrade online services, such as a website.
   Cybercriminals may direct a large volume of unwanted traffic to consume the victim network’s
   bandwidth, which limits or prevents legitimate users from accessing the website. 

Given that the majority of businesses, irrespective of their size, rely on email, websites, passwords, and various forms of data encryption, it is evident from the above explanations, that organisations of any scale are vulnerable to cyber attacks.

Therefore, taking a proactive approach is crucial to maximise the likelihood of avoiding being targeted.

Being Proactive In Your Cyber Attack Management

One of the major cybercrimes that threatens businesses today is Business Email Compromise Fraud; which normally involves financial loss for the business. According to the ASD, nearly $8 million in reported cybercrime losses is attributed to Business Email Compromise Fraud, averaging around $39,000 in losses for each incident.

Can your business withstand such substantial financial setbacks?

Patching represents another significant vulnerability for attackers seeking to breach companies, as highlighted by the Australian Cyber Security Centre (ACSC) under the ASD. Their analysis indicates that half of the vulnerabilities introduced by patch releases are exploited within two weeks. It is imperative for businesses to promptly address this by patching, updating, or mitigating critical vulnerabilities within 48 hours, and for other vulnerabilities, action should be taken within two weeks.

To impede email attacks—one of the top 6 techniques employed by cybercriminals—organisations, regardless of size, should conduct regular Cyber Security Training. Employees should exercise caution when encountering emails requesting payments or changes to bank details. It is advisable to verify suspicious emails through the official website or confirmed contact information, as the contact details provided within the message might be deceptive.

Some of the more basic protections that businesses can employ include:

• Updating your devices and turning on automatic updates.
• Turning on Multi-Factor Authentication for online services.
• Regularly test cyber security detection, incident response, business continuity and disaster recovery plans.
• Review the cyber security posture of remote workers including their use of communication, collaboration
  and business productivity software.
• Train staff on cyber security matters, in particular how to recognise scams and phishing attempts.
• Use long and unique passphrases for every account. Password managers can assist with creating
  passphrases to protect your account.
• Turn on automatic updates for all software, and do not ignore installation prompts.
• Regularly back up important files and device configurations settings.
• Only use reputable cloud service providers and managed service providers that implement appropriate
  cyber security measures.

So, what else can you do to protect your business from cybercrime?

The Essential Eight is a "series of baseline mitigation strategies" also recommended to all Australian businesses by the ACSC. While no single mitigation strategy can prevent cyber attacks, the Essential 8 is a great start.

We also strongly recommend implementing Cyber Security Awareness Training for all levels of employees. ASD recommends training staff to strengthen your cyber defence, an item which is often referred to as the "Essential 9th" mitigation strategy. 

Reputable Cyber Security Awareness Training courses educate employees about cyber threats and attacks they may be subjected to every day, such as a phishing or ransomware attack, giving them the knowledge and tools they need to be able to identify and take the appropriate action required if they do receive a malicious attempt.

How Can Diamond IT Support Your Cyber Security Defences?

Diamond IT can help you ensure your technology, policy and staff education programs align with best practice to protect you from the ever-evolving cyber threat landscape. Our Business Technology Managers (BTMs) are specialists in improving your internal cyber security.  

• Managed IT Support with Cyber Security.
• Cybersecurity Awareness Training. 
• Cyber and Data Breach Consulting and Forensic Analysis.
• Disaster Recovery (DR) Planning.

If you need advice on how you can ensure your cyber security strategy is fit for purpose our team of cyber security experts are ready to help. Contact our team on 1300 307 907 today.