One in every eight minutes – this was how many cyberattacks were reported to the Australian Cyber Security Centre (ACSC) during the 2020-21 financial year, putting the country in the ranks of among the most targeted nations in the world.
During the period, the agency received an estimated 67,500 reports of cybersecurity incidents, which was a 13% spike from the previous cycle. The majority of these attacks were categorised as “substantial,” with approximately a quarter affecting entities associated with Australia’s critical infrastructure.
“The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations,” the agency wrote in its latest annual cyber threat report. “The accessibility of cybercrime services – such as ransomware-as-a-service (RaaS) – via the dark web increasingly opens the market to a growing number of malicious actors without significant technical expertise and without significant financial investment.”
The study also noted how the coronavirus outbreak contributed to the growing number of cyberattacks. The agency’s data showed that more than 1,500 of the reported malicious cyber activity during the financial year was related to the COVID-19 pandemic. The figure is equivalent to about four incidents daily. Of these, over three-fourths resulted in the loss of money or personal information.
Overall, self-reported losses from cybercrime during the period totalled more than $33 billion.
In a separate report, global tech giant Thales Group cautioned that even with the level of cybersecurity measures Australian businesses are implementing, many of them are still exposed to significant cyber risks.
Brian Grant, ANZ director at Thales Cloud Security, warned that cyber awareness training, paying ransoms, and other outdated approaches do not mitigate risks among data-dependent organisations.
“Staff turnover and inconsistent skills, combined with advanced social engineering by attackers, make cyber awareness ineffective, while paying a ransom only fosters more criminal behaviour,” he said. “It's encouraging that many businesses have increased security budgets and devised cyber-incident response plans, but a worrying lack of effective data security continues to leave gaping holes for criminals to exploit.”
These “gaping holes” were among the reasons why cyber coverage has become increasingly challenging to secure for many companies, one expert stressed.
“The cover offered by insurance providers has gained increased attention during the COVID-19 lockdowns,” wrote Scott Hesford, director of solutions engineering, Asia-Pacific and Japan at system software company BeyondTrust, in an article for Consultancy.com.au. “With many of their staff working from home, businesses are realising their pre-pandemic security measures are no longer providing the level of protection they require.
“A reliance on firewalls and other on-premise measures are simply insufficient. Home-based workers – thanks to insecure Wi-Fi, unpatched personal devices, and generally poor cyber hygiene – are more susceptible to everything from phishing campaigns to ransomware attacks and more.”
These situations, according to Hesford, have pushed cyber insurers to tighten underwriting guidelines and require customers to have certain security controls in place before they can access coverage. He added that insurance companies are becoming more selective about who they are willing to cover.
“Qualification for cyberattack coverage is being carefully assessed and potentially denied based on the answers of prospective and current customers to comprehensive security questionnaires,” Hesford explained. “Insurance companies are also increasingly hiring security professionals to help them navigate the path to insuring qualified customers and denying those who don’t qualify or otherwise pose too big a risk.”
Several studies have been conducted to determine the industries that are most vulnerable to cyberattacks. The results vary depending on which organisation did the research, but one common denominator is that the sectors found to be the most targeted were critical infrastructure providers.
ACSC’s report revealed that almost a quarter of reported cyber security incidents affected organisations providing essential services, including education, health, communications, electricity, water, and transport. These sectors occupied the third to sixth spots of the agency’s top 10 reporting industries, trailing only government entities, which accounted for more than a third of all reported cyberattacks.
These are the sectors that reported the highest number of cybersecurity incidents during the 2020-21 financial year, according to ACSC.
Read more: Cybersecurity agency issues cybercrime warning to businesses
A separate tracking conducted by the Office of the Australian Information Commissioner (OAIC) recorded 464 cyber incidents in the second half of 2021, an increase of about 6% from the first half of the year.
Data gathered by OAIC’s Notifiable Data Breach scheme revealed that malicious or criminal attacks remained the leading source of breaches, accounting for 256 notifications, or 55% of the total, down 9% from 281 in the first six months of 2021. This was followed by data breaches resulting from human error, which took up 41%.
Healthcare was the highest reporting sector, with 18% of all breaches that the OAIC received coming from the industry. Financial services followed, disclosing 12% of the total notifications. Legal, accounting, and management services (11%), personal services (8%), education (7%), and insurance (7%) rounded up the top five industries reporting the most cyber breaches.
Data pulled from Darktrace’s customer base, meanwhile, has shown that healthcare was the most targeted industry in Australia in 2021, overtaking the financial and insurance sector, which ranked first the year prior.
The global cyber defence specialist’s early indicator analysis revealed that cyberattacks targeting the health and social care sector doubled last year compared to 2020. Figures also indicate that the trend is continuing in the first quarter of 2022, with the industry registering a 37% year-on-year spike in malicious activity.
The IT and communications sector likewise saw a 13% increase in cyber incidents, while attacks on the financial sector decreased by 35% from the same period last year.
“The sharp and significant rise in attacks on Australia’s health and social care sector suggests that attackers pivoted to targeting healthcare at a time when security teams were particularly overstretched and new infrastructures such as contact tracing, electronic test reporting, digital certificates and vaccine appointment bookings were being rolled out across the country,” the report noted.
“The continued rise in attacks likely reflects that at times of heightened geopolitical tension, for both nation-state actors and lone cybercriminals alike, critical infrastructure and services remain a top target to conduct espionage and cause maximal disruption.”
Hobart-headquartered cyber resilience platform UpGuard has compiled a list of the biggest data breaches in Australia in recent years, which the firm said was aimed at helping businesses “avoid some of the common malpractices that facilitate” such incidents. Many of the incidents below were targeted at the healthcare, financial services, education, and government sectors – industries that reported the highest number of attacks last year. Here are the top 10 incidents based on the scale of impact, according to UpGuard.
Rank |
Organisation |
When |
Impact |
Type of data compromised |
1 |
Canva (graphic design platform) |
May 2019 |
137 million users |
|
2 |
Ubiquiti Networks (communication device vendor) |
December 2020 |
Up to 85 million people (unconfirmed) |
|
3 |
ProctorU (online proctoring services) |
July 2020 |
444,000 people |
User records with email addresses belonging to members of more than a dozen of Australia’s top universities |
4 |
Australian National University (ANU) |
November 2018 |
200,000 students |
|
5 |
Eastern Health (hospital operator in Melbourne) |
March 2021 |
Four hospitals |
None |
6 |
Service NSW (government agency) |
April 2020 |
104,000 people |
Five million documents accessed, 10% of which contain sensitive data |
7 |
Melbourne Heart Group (specialist cardiology unit in Cabrini Hospital) |
February 2019 |
15,000 patients |
None |
8 |
Australian Parliament House |
February 2019 |
Multiple political party networks - Liberal, Labor, and the Nationals |
No sensitive data compromised |
9 |
Ambulance Tasmania |
January 2021 |
Every resident that requested an ambulance between November 2020 and January 2021 |
|
10 |
Northern Territory Government |
February 2021 |
4,400 emails |
Personal and business emails |
Source: UpGuard