Australia Reports Rising Cyberattacks on Small BusinessesCyber Group Says Hackers Now See SMBs as Being More Lucrative Than Larger Targets
The Australian Cyber Security Center said in a report Wednesday that small and medium-sized businesses in Australia continue to face the bulk of cyberattacks. Cyber operations linked to financially motivated scams have grown by 23% over the past year.
While small businesses on average suffered $46,000 in losses to cybercrime in the past year, medium-sized businesses suffered average losses of $97,200, the Australian Cyber Security Center said. In contrast, large businesses, often believed to be the prime targets for cybercrime, suffered $71,600 in losses in attacks.
"The borderless and multibillion-dollar cybercrime industry continues to cause significant harm to Australia, with Australians remaining an attractive target for cybercriminal syndicates around the world," said Minister of Defense Richard Marles, MP. "This threat extends beyond cyberespionage campaigns to disruptive activities against Australia’s essential services."
While reports of attacks targeting Australian residents and businesses grew 23% over the past year, the government admitted the actual number could be much higher as cybercrime is massively underreported in the country.
Attacks against federal, state and local governments, which are required to report cybercriminal activity, accounted for 43.5% of all cybersecurity incidents. Healthcare and financial services sectors, traditionally considered low-hanging fruit for cybercrime, reported just over 10% of all cybersecurity incidents.
The Australian Signals Directorate, the country's premier intelligence agency, said it responded to 143 incidents reported by critical infrastructure entities over the past year. The agency said critical infrastructure networks have a broad attack surface but criminals frequently used compromised account or credentials and denial-of-service attacks to infiltrate their networks. Reported ransomware attacks, numbering 118 in total, accounted for around 10% of all cybersecurity incidents.
The report came on the heels of a cyberattack this week on Dubai-based logistics company DP World's Australian subsidiary that disrupted operations at four major Australian ports. The outage resulted in a backlog of 30,000 containers over three days (see: Australian Ports Recover From Cyber Incident).
Small Businesses Becoming Core Targets for Hackers
The ACSC said cybercriminals continue to target larger businesses to extort large sums of money or monetize stolen data, but they consider smaller businesses as being easier and more profitable targets. "Smaller entities may be perceived as having lower cybersecurity maturity and may be used to access more lucrative targets in their supply chain. A cyberattack against entities in this sector could have significant impacts for both the victim organization and its customers," it said.
Smaller businesses, according to a report by the Australian Institute of Criminology, are more likely to be a victim of identity misuse, malware attacks, fraud and scams. Many small businesses transitioned to working from home during and after the pandemic, and cybercriminals know that their devices are not protected by corporate security controls, their home internet connections are less secure and they store their data on unsecure personal devices.
Earlier this year, the Council of Small Business Organizations Australia warned that small businesses' vulnerability to cybercrime could escalate as they could no longer afford to invest in cybersecurity amid a looming cost-of-living crisis and rising interest rates (see: Australia's Cost-of-Living Crisis Squeezes Security Spending).
The Australian government in its 2023-24 federal budget provided AU$23.4 million to help small businesses become more resilient against cybercrime. The government hopes that its new initiative, called the Cyber Wardens program, can equip small businesses with foundational skills they need to enhance cyber safety.
The government and businesses across sectors are under pressure. The ACSC said in its report that business email compromise is a silent and effective weapon in the hands of criminals, netting them almost $80 million in 2022-23 with each successful attack costing businesses over $39,000 on average.
Cybercriminals have honed the art of impersonating businesses or trusted vendors and stealing sensitive information, money or goods from businesses partners and customers, the watchdog said. The Targeting Scams report by the Australian Competition and Consumer Commission revealed that Australians lost over $3 billion to scams in 2022, an 80% increase on total losses recorded in 2021.
"Phishing scams aren't new, but they're still super effective at tricking people," said Klaus Schenk, senior vice president of security and threat research at Verimatrix. "Targeted phishing campaigns that exploit human fallibility remain an ongoing threat that organizations must continually train against. Organizations need to invest in ongoing cybersecurity training for their staff, so employees can learn how to spot and avoid phishing attempts. Defense against phishing starts with people."