Cybersecurity in Australia: Key Insights from FY2023-24

The Australian Signals Directorate (ASD) has released its annual 📊review, highlighting significant trends, challenges, and achievements in safeguarding Australia against cyber threats. Here’s what you need to know:

The Threat Landscape

• Growing Cybercrime Costs:
  • Individuals reported a 17% rise in cybercrime costs, averaging $30,700 per incident.
  • Small businesses faced higher impacts (+8%), while medium and large businesses saw costs decline overall.
• Top Cyber Threats:
  • For individuals: Identity fraud (26%), online shopping fraud (15%), and online banking fraud (12%).
  • For businesses: Email compromise (20%) and banking-related fraud (26%).
• Incident Trends:
  • A report of cybercrime was filed every 6 minutes, with ransomware incidents increasing by 3%.
  • Low-level malicious attacks surged by 10%, while severe compromises decreased slightly.

What ASD Achieved

• Rapid Response: Handled over 1,100 cyber incidents, providing critical assistance to impacted entities.
• Blocking Malicious Activity:
  • 82M malicious domains blocked (+21%).
  • Over 189,000 malicious domains targeting Australian servers removed (+49%).
• Strengthened Collaboration:
  • Cyber Threat Intelligence Sharing grew by 66% to over 400 partners, sharing 1.37M indicators of compromise.
  • Conducted 16 cyber exercises with 130+ organisations to enhance resilience.
• Awareness & Guidance: Published 118 alerts and collaborated on 19 international advisories to improve public preparedness.

Critical Infrastructure Protection

• Notified organisations 90+ times of malicious activity and conducted 42 workshops to improve security.
• Completed 10 critical infrastructure security uplifts covering 15 key assets.

Notable Australian Breach Case Studies

The statistics above become more tangible when you look at specific incidents from the reporting period.

Medibank Private (aftermath and regulatory action)

The Medibank breach, which exposed the personal and health records of 9.7 million Australians, continued to reverberate through FY2023-24. The Office of the Australian Information Commissioner (OAIC) filed Federal Court proceedings alleging that Medibank failed to take reasonable steps to protect personal information. The insurer disclosed remediation costs exceeding $46.4 million across customer support, system uplift, and legal proceedings. The attackers exploited compromised VPN credentials that lacked multi-factor authentication — a mitigation listed as the first control in the ACSC Essential Eight. The lesson is stark: a single missing control can expose millions of records and trigger years of regulatory scrutiny.

HWL Ebsworth (law firm ransomware)

In April 2023, the ALPHV/BlackCat ransomware group breached HWL Ebsworth, one of Australia's largest law firms. The attackers exfiltrated approximately 2.5 terabytes of data, including client matter files for government departments, banks, and insurers. HWL Ebsworth refused to pay the ransom, and the group published stolen data on the dark web. The incident exposed the supply chain risk that professional services firms pose to their clients. For Perth businesses engaging external legal, accounting, or IT providers, this case underscores the importance of assessing third-party security posture — not just your own.

DP World Australia (port operator disruption)

In November 2023, DP World Australia — which handles roughly 40% of Australia's container trade — suffered a cyberattack that forced the company to disconnect its systems from the internet. Port operations at Sydney, Melbourne, Brisbane, and Fremantle were disrupted for three days. The financial cost ran into tens of millions in delayed cargo, rerouting, and manual workarounds. The attack demonstrated that operational technology (OT) environments remain vulnerable, and that cyber incidents in critical infrastructure have immediate physical-world consequences.

The ACSC Essential Eight: A Practical Checklist

The Australian Cyber Security Centre's Essential Eight is the baseline framework referenced throughout the ASD report. Originally designed for government agencies, it is now widely adopted across the private sector as the minimum standard for cyber resilience. The eight mitigation strategies, listed in order of priority, are:

1. Application control — Only approved applications can execute on workstations and servers. This prevents malware, ransomware, and unauthorised software from running, even if a user is tricked into downloading it.
2. Patch applications — Apply security patches for applications (browsers, PDF readers, Java, Microsoft Office) within 48 hours of release when a vulnerability is rated critical. The ASD report notes that many compromises exploited known vulnerabilities where patches were available but not applied.
3. Configure Microsoft Office macro settings — Block macros from the internet and only allow vetted, signed macros in trusted locations. Macros remain a common delivery mechanism for malware targeting Australian businesses.
4. User application hardening — Disable unnecessary features in web browsers and other applications: Flash, ads, Java in browsers, and PowerShell execution where not required.
5. Restrict administrative privileges — Limit admin access to the people and accounts that genuinely need it. Review admin accounts regularly and remove stale privileges. The Medibank breach was a direct consequence of failing this control.
6. Patch operating systems — Apply OS security patches within 48 hours for critical vulnerabilities. Use supported operating system versions — end-of-life systems receive no patches and represent an open door.
7. Multi-factor authentication (MFA) — Require MFA for all remote access, cloud services, privileged accounts, and email. The ASD report repeatedly highlights MFA as the single most effective control against credential-based attacks.
8. Regular backups — Maintain backups of critical data, software, and configuration settings. Test restoration regularly. Store at least one backup offline or immutable so that ransomware cannot encrypt it.

Achieving Maturity Level 1 across all eight controls is a reasonable goal for most small and medium businesses. Maturity Level 2 and Level 3 introduce additional controls around event logging, hardened configurations, and automated verification — typically relevant for organisations handling sensitive government or financial data.

What This Means for Perth Businesses

The report’s findings carry direct implications for small and medium businesses in Western Australia. With cybercrime costs rising fastest for individuals and small businesses, the message is clear: no organisation is too small to be targeted.

Perth businesses operating in mining services, logistics, and professional services are particularly exposed. These industries rely heavily on email communication, cloud-based tools, and third-party integrations — all of which expand the attack surface. A single email compromise can lead to fraudulent invoices, unauthorised fund transfers, or the exposure of sensitive client data.

Practical Steps You Can Take Now

You do not need an enterprise-level security budget to meaningfully reduce your risk. Here are actions any Perth business can implement:

• Enable multi-factor authentication (MFA) on all business email and cloud accounts. MFA alone blocks the vast majority of automated credential attacks.
• Implement the ASD Essential Eight — a set of baseline mitigation strategies designed specifically for Australian organisations. Start with application patching, restricting admin privileges, and configuring Microsoft Office macro settings.
• Conduct regular phishing awareness training. Human error remains the leading cause of email compromise. Even a short quarterly session can dramatically improve your team’s ability to spot suspicious messages.
• Review your backup strategy. Ransomware attacks increased by 3% this year. Ensure you have offline or immutable backups that cannot be encrypted by an attacker who gains access to your network.
• Engage a local IT partner for a security review. An external assessment can identify blind spots that internal teams overlook, particularly around firewall configurations, outdated software, and access controls.

Compliance Is Becoming Non-Negotiable

The Australian Government continues to tighten cybersecurity obligations, particularly for businesses that handle personal information or operate in critical infrastructure sectors. The Privacy Act reforms and the Security of Critical Infrastructure Act (SOCI) are raising the bar for what constitutes adequate security. Businesses that fall short risk not only breaches but also regulatory penalties.

Small Business Is Not a Shield

One of the most dangerous assumptions a business can make is that its size makes it an unlikely target. The ASD data tells a different story. Cybercriminals increasingly use automated tools that scan for vulnerabilities indiscriminately — they do not check your revenue before launching an attack. Small businesses often have weaker defences and fewer resources to recover, making them attractive targets for opportunistic attackers. The average cost of $30,700 per incident can be devastating for a business with limited reserves.

Supply Chain and Third-Party Risk

A recurring theme in the ASD report is the growing risk from supply chain compromise. Attackers are increasingly targeting smaller suppliers and service providers as a pathway into larger organisations. The HWL Ebsworth breach is a clear example: dozens of government departments and major corporations were exposed not through their own systems, but through a trusted third party.

For Perth businesses, this means security cannot stop at your own perimeter. If you share data with accountants, legal firms, managed service providers, or SaaS vendors, their security posture directly affects yours. Practical steps include:

• Asking vendors for evidence of their security controls — at a minimum, SOC 2 Type II or ISO 27001 certification.
• Reviewing access permissions granted to third parties and revoking credentials that are no longer needed.
• Including security requirements in contracts — data handling obligations, breach notification timelines, and the right to audit.
• Maintaining an inventory of third-party integrations and the data each system can access.

How Nano Solutions Can Help

At Nano Solutions, we help Perth businesses build resilient infrastructure through automated patch management, security configuration enforcement, and ongoing cloud monitoring — using tools like Ansible to ensure your systems stay hardened and compliant.

Our security services cover the full lifecycle:

• Secure code review: We assess your application source code against the OWASP Top 10 and ASVS frameworks, identifying vulnerabilities before they reach production.
• Cloud compliance: We help you achieve and maintain ISO 27001, Essential Eight Maturity Level 2, and SOC 2 readiness — including gap analysis, remediation planning, and audit preparation.
• Cloud security architecture: We design and implement IAM policies, network segmentation, encryption, and monitoring across AWS, Azure, and hybrid environments.
• Cloud maintenance: Our 24/7 monitoring service detects anomalies, applies security patches, and provides incident response — so you are not relying on a team member to notice something at midnight.

If the ASD report has prompted you to reassess your security posture, get in touch for a scoping conversation. We work with businesses of all sizes, from startups to WA Government agencies under the CUAICTS2021 panel arrangement.

Stay vigilant. Stay secure.