The 2020-21 ACSC Annual Cyber Threat report is out, and as you’d expect, it’s not happy reading. However, if you care about your business, checking it out will give you a good handle on what you should be worried about.
Which six cybersecurity threats are hitting the headlines?
First up – we recommend that you read the full report. But in case you’re tight on time (and because we care), we’ve paraphrased ACSC’s six key cyber security threats and trends in the 2020-21 financial year.
- Exploitation of the pandemic environment. Malicious actors showed no mercy. Spear phishing emails leveraged the COVID-bandwagon to collect personal details from the unwary, and the health care sector and critical services were significant targets of ransomware attacks.
- Disruption of essential services and critical infrastructure. Around 25% of reported cyber incidents were associated with Australia’s critical infrastructure or essential services. Think health care, food distribution and energy sectors – and the potential for loss of life.
- Ransomware (and this is a biggie). With a 15% increase over the last year, it’s now one of the most significant threats to Australian organisations. Cybercriminal ransom demands ranged from thousands to millions of dollars. And scarily, they’ve got even better at it.
- Rapid exploitation of security vulnerabilities. Malicious actors exploited security vulnerabilities (sometimes within hours) of public disclosure, patch release or technical write-ups. And as well as doing it at speed, they did it at scale.
- Supply chains (in particular software and services). These stayed a hot target for malicious actors keen to access vendors’ customers. While Australia may have escaped the worst of major attacks like that on SolarWinds – we weren’t unscathed. If our supply chain isn’t already under enough pressure, the threat of compromise remains high.
- Business email compromise (aka BEC). In these days of work-from-home, BEC remains a leading threat to Australian businesses and government. Over 2020–21, the average loss per successful event was more than $50,600 (AUD), a 150%+ increase over the year before.
Why have things got worse?
Well, COVID-19 has significantly increased our reliance on the internet to run our businesses and organisations. We’d truly be lost without it. But the net comes with a dark downside.
As the new ACSC report rightly observes: ‘This dependence has increased the attack surface and generated more opportunities for malicious cyber actors to exploit vulnerable targets in Australia.’
Some handy resources
A solid approach to cybersecurity must be front and centre of everything IT in your business. It needs to be all-encompassing and cover everything from email protocols to BYOD devices, remote working, unpatched vulnerabilities, neglected updates, and more! It should also include a disaster recovery plan, so if your data is ever ransomed, you have a viable and potentially business-saving Plan B.
And don’t forget that regular training plays a big part in keeping your business safe. Cybercriminals constantly come up with cunning new ways to bypass even the Holy Cybersecurity Grail of multi-factor authentication.
- Adopt the ACSC Essential Eight maturity model. If you have Microsoft Windows’ based internet-connected networks, check out the Essential Eight to help mitigate the damage caused by a cyberattack.
- Train, train, and train some more. If you don’t have the internal resources to train your people, Sophos has some great free resources & tools – they make online cybersecurity awareness training interesting, fun, and educational.
- Make your point loud and clear. If you’re struggling to communicate to the business at large about how critical it is to invest in cybersecurity, then sharing these crime stats from ACSC might help.
- Need to report a cybercrime? This is your starting place regardless of whether the crime is personal, against a small to medium business, large infrastructure organisation or government department or agency.
- Stay up to date with the most recent security vulnerabilities. Check out (and subscribe) to these blogs from our security partner, Sophos.
As ever, if you’ve got any questions – big or small – or would like some help or just a chat about safeguarding your business, contact us.