The Australian Cyber Security Center (ACSC) responded to nearly 30 per cent fewer cybersecurity incidents over the 2020-2021 financial year, but the severity of these incidents has only increased.

The Federal Government’s chief cybersecurity agency responded to 1,630 security incidents over the FY2021 period, according to its latest annual threat report, representing a 28 per cent drop on the 2,266 incidents recorded in the previous financial year.

However, nearly half (49 per cent) of the incidents recorded over FY21 were identified by ACSC as ‘category four’ – that is, “substantial in impact”.

The national cybersecurity agency categorises each incident it responds to on a scale from ‘category one’ (most severe) to ‘category six’ (least severe).

By contrast, the highest proportion of cyber incidents from the prior reporting period (FY20) came from ‘category five’ (36 per cent), indicating that the nature of cyber incidents appears to have worsened over FY21.

More than half the incidents ACSC responded to over FY21 stemmed from “low-level malicious activity”, such as targeted reconnaissance, phishing, or non-sensitive data loss.

Crucially, critical infrastructure organisations accounted for approximately a quarter of all reported cyber incidents over FY21. However, just four per cent of these were from the financial and insurance services sector.

Meanwhile, reports of ransomware increased by 15 per cent over FY21, with this type of attack rated by ACSC as “one of the most significant threats to Australian organisations”.

“While the number of ransomware-related cybercrime reports is a relatively small proportion… ransomware remains the most serious cyber-crime threat due to its high financial impact and disruptive impacts to victims and the wider community,” the ACSC said.

Of particular concern is an increasing trend of data theft, encryption and public shaming, reflecting an “ongoing evolution” of ransomware tactics designed to ensure financial success, the ACSC added.

The national security body refers to this combination of encryption and data theft as “double extortion”, explaining how payments are increasingly requested in cryptocurrency (due to its untraceable nature) in return for non-publication of sensitive data.

The ACSC also observed an increase in “professional syndicates operating ransomware-as-a-service (RaaS)” over FY21, which demonstrates an evolution in criminals’ approaches to “franchising arrangements”, which effectively lower the barriers for hopeful cyber assailants.

With Covid-19 driving a continual shift towards remote working, Australia’s chief cybersecurity agency further highlighted the perennial threat posed by business email compromise (BEC) scams to enterprises.

“In the 2020–21 financial year, the average loss per successful [BEC] event has increased to more than $50,600 (AUD) – over one-and-a-half times higher than the previous financial year,” the report said.

The ACSC attributes this alarming BEC trend to the growing sophistication and organisation of criminal groups, which have “developed enhanced, streamlined methods” to target Australians.

Apart from Covid-19 phishing emails and e-shopping scams, superannuation scams emerged as a key focus for cyber assailants, which launched widespread BEC campaigns over FY21.

At the same time, ACSC figures reveal its cybercrime hotline ReportCyber was used to make 67,500 reports over FY21 – a near 13 per cent increase from FY20.

Of these, the top three types of cybercrimes reported over FY21 were fraud (23 per cent), shopping (17 per cent) and e-banking (12 per cent) related scams.

The ACSC further revealed that self-reported cybercrime losses stood at more than $33 billion in total over FY21, with malicious actors increasingly exploiting pandemic-related upheaval to attempt novel forms of cyber-attacks.

ACSC’s Annual Threat Report can be viewed here.