Which Australian industries are most targeted by cyberattacks?
“The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations,” the agency wrote in its latest annual cyber threat report. “The accessibility of cybercrime services – such as ransomware-as-a-service (RaaS) – via the dark web increasingly opens the market to a growing number of malicious actors without significant technical expertise and without significant financial investment.”
The study also noted how the coronavirus outbreak contributed to the growing number of cyberattacks. The agency’s data showed that more than 1,500 of the reported malicious cyber activity during the financial year was related to the COVID-19 pandemic. The figure is equivalent to about four incidents daily. Of these, over three-fourths resulted in the loss of money or personal information.
Overall, self-reported losses from cybercrime during the period totalled more than $33 billion.
Read more: What’s driving up cyber insurance premiums in Australia?
‘Gaping holes’ in cybersecurity making coverage harder to secure
In a separate report, global tech giant Thales Group cautioned that even with the level of cybersecurity measures Australian businesses are implementing, many of them are still exposed to significant cyber risks.
Brian Grant, ANZ director at Thales Cloud Security, warned that cyber awareness training, paying ransoms, and other outdated approaches do not mitigate risks among data-dependent organisations.
“Staff turnover and inconsistent skills, combined with advanced social engineering by attackers, make cyber awareness ineffective, while paying a ransom only fosters more criminal behaviour,” he said. “It’s encouraging that many businesses have increased security budgets and devised cyber-incident response plans, but a worrying lack of effective data security continues to leave gaping holes for criminals to exploit.”
These “gaping holes” were among the reasons why cyber coverage has become increasingly challenging to secure for many companies, one expert stressed.
“The cover offered by insurance providers has gained increased attention during the COVID-19 lockdowns,” wrote Scott Hesford, director of solutions engineering, Asia-Pacific and Japan at system software company BeyondTrust, in an article for Consultancy.com.au. “With many of their staff working from home, businesses are realising their pre-pandemic security measures are no longer providing the level of protection they require.
“A reliance on firewalls and other on-premise measures are simply insufficient. Home-based workers – thanks to insecure Wi-Fi, unpatched personal devices, and generally poor cyber hygiene – are more susceptible to everything from phishing campaigns to ransomware attacks and more.”
Read more: Cyber resilience concerns intensify in Australia
These situations, according to Hesford, have pushed cyber insurers to tighten underwriting guidelines and require customers to have certain security controls in place before they can access coverage. He added that insurance companies are becoming more selective about who they are willing to cover.
“Qualification for cyberattack coverage is being carefully assessed and potentially denied based on the answers of prospective and current customers to comprehensive security questionnaires,” Hesford explained. “Insurance companies are also increasingly hiring security professionals to help them navigate the path to insuring qualified customers and denying those who don’t qualify or otherwise pose too big a risk.”
Which Australian industries are most targeted by cyberattacks?
Several studies have been conducted to determine the industries that are most vulnerable to cyberattacks. The results vary depending on which organisation did the research, but one common denominator is that the sectors found to be the most targeted were critical infrastructure providers.
ACSC’s report revealed that almost a quarter of reported cyber security incidents affected organisations providing essential services, including education, health, communications, electricity, water, and transport. These sectors occupied the third to sixth spots of the agency’s top 10 reporting industries, trailing only government entities, which accounted for more than a third of all reported cyberattacks.
These are the sectors that reported the highest number of cybersecurity incidents during the 2020-21 financial year, according to ACSC.
Commonwealth government: 19.5%
State, territory, and local government: 15.2%
Professional, scientific, and technical services: 9.7%
Healthcare and social assistance: 7.3%
Education and training: 6.2%
Information media and telecommunications: 5.6%
Financial and insurance services: 4%
Retail trade: 4%
Construction: 3%
Manufacturing: 3.7%
Read more: Cybersecurity agency issues cybercrime warning to businesses
A separate tracking conducted by the Office of the Australian Information Commissioner (OAIC) recorded 464 cyber incidents in the second half of 2021, an increase of about 6% from the first half of the year.
Data gathered by OAIC’s Notifiable Data Breach scheme revealed that malicious or criminal attacks remained the leading source of breaches, accounting for 256 notifications, or 55% of the total, down 9% from 281 in the first six months of 2021. This was followed by data breaches resulting from human error, which took up 41%.
Healthcare was the highest reporting sector, with 18% of all breaches that the OAIC received coming from the industry. Financial services followed, disclosing 12% of the total notifications. Legal, accounting, and management services (11%), personal services (8%), education (7%), and insurance (7%) rounded up the top five industries reporting the most cyber breaches.
Read more: Ransomware attacks – should Australian businesses pay up?
Data pulled from Darktrace’s customer base, meanwhile, has shown that healthcare was the most targeted industry in Australia in 2021, overtaking the financial and insurance sector, which ranked first the year prior.
The global cyber defence specialist’s early indicator analysis revealed that cyberattacks targeting the health and social care sector doubled last year compared to 2020. Figures also indicate that the trend is continuing in the first quarter of 2022, with the industry registering a 37% year-on-year spike in malicious activity.
The IT and communications sector likewise saw a 13% increase in cyber incidents, while attacks on the financial sector decreased by 35% from the same period last year.
“The sharp and significant rise in attacks on Australia’s health and social care sector suggests that attackers pivoted to targeting healthcare at a time when security teams were particularly overstretched and new infrastructures such as contact tracing, electronic test reporting, digital certificates and vaccine appointment bookings were being rolled out across the country,” the report noted.
“The continued rise in attacks likely reflects that at times of heightened geopolitical tension, for both nation-state actors and lone cybercriminals alike, critical infrastructure and services remain a top target to conduct espionage and cause maximal disruption.”
Read more: CISOs warn of gaps in cybersecurity strategies
Ten biggest data breaches in Australia
Hobart-headquartered cyber resilience platform UpGuard has compiled a list of the biggest data breaches in Australia in recent years, which the firm said was aimed at helping businesses “avoid some of the common malpractices that facilitate” such incidents. Many of the incidents below were targeted at the healthcare, financial services, education, and government sectors – industries that reported the highest number of attacks last year. Here are the top 10 incidents based on the scale of impact, according to UpGuard.
Rank
Organisation
When
Impact
Type of data compromised
1
Canva (graphic design platform)
May 2019
137 million users
Usernames
Real names
Email addresses
Country data
Encrypted passwords
Partial payment data
2
Ubiquiti Networks (communication device vendor)
December 2020
Up to 85 million people (unconfirmed)
Names
Email addresses
Salted/hashed password credentials
Home addresses
Phone numbers
3
ProctorU (online proctoring services)
July 2020
444,000 people
User records with email addresses belonging to members of more than a dozen of Australia’s top universities
4
Australian National University (ANU)
November 2018
200,000 students
Names
Addresses
Phone numbers
Dates of birth
Emergency contact details
Tax file numbers
Payroll information
Bank account details
Student academic results
5
Eastern Health (hospital operator in Melbourne)
March 2021
Four hospitals
None
6
Service NSW (government agency)
April 2020
104,000 people
Five million documents accessed, 10% of which contain sensitive data
7
Melbourne Heart Group (specialist cardiology unit in Cabrini Hospital)
February 2019
15,000 patients
None
8
Australian Parliament House
February 2019
Multiple political party networks – Liberal, Labor, and the Nationals
No sensitive data compromised
9
Ambulance Tasmania
January 2021
Every resident that requested an ambulance between November 2020 and January 2021
HIV status
Gender
Age
Address of each emergency incident
10
Northern Territory Government
February 2021
4,400 emails
Personal and business emails
Source: UpGuard