SMEs are top cyber-crime target: ACSC

Owners of small and medium enterprises (SME) lost thousands of dollars due to cyber-related crimes over the 2020/21 financial year, according to the Australian Cyber Security Centre’s (ACSC) latest Annual Cyber Threat Report. 

The new report revealed that the ACSC received a total of over 67,500 self-reported cases of cyber crime, a 13 per cent year-on-year increase on the year prior. 

The cyber incidents resulted in more than $33 billion in losses in FY21, with medium-sized businesses reporting the highest average financial loss per cyber-security incident, at $33,442. 

Similarly, the number of incidents reported by small businesses increased compared to last year, with the average financial loss being $8,899. 

Large organisations were found to have experienced an average loss per report of $19,306. 

In addition to these findings, the ACSC found that fraud was the most common form of cyber crime, accounting for approximately 23 per cent of all reported cases last year.

The second and third-most common were crimes that orbited shopping (17 per cent) and online banking (12 per cent). 

However, this financial year also saw an increase in financial losses related to business email compromise (BEC) cyber crimes – an act where criminals will compromise a business or personal email account to impersonate a supplier or representative. 

According to the report, despite the number of BEC reports decreasing compared to last year (accounting for 7 per cent of this period’s total figure), self-reported losses as a result of this scam increased by 15 per cent, accounting for roughly $81.45 million. 

Strikingly, the average loss per successful BEC transaction also grew compared to last year, rising by 54 per cent from $32,935 to $50,673. 

The Western Australian government issued a warning about similar scams targeting home buyers earlier this year, following reports of prospective home buyers irretrievably losing hundreds of thousands of dollars after being misled by hackers posing as settlement agents, and brokers have also recently been victims of similar BEC attacks.

In fact, the financial and insurance services were a common sector for cyber-criminal attention, accounting for 4 per cent of all cyber-security incidents according to the ACSC, making it the equal top-sixth sector for this kind of activity. 

This echoes the findings from the latest Notifiable Data Breaches Report, published by Office of the Australian Information Commissioner (OAIC) last month, which revealed that roughly 58 per cent of data breaches in the financial sector were considered to be malicious or criminal related during the first half of 2021. 

Similarly, Imperva Research Labs found that web attacks (largely distributed denial of service [DDoS] and ransom DDoS attacks) towards the financial sector increased by 38 per cent between January and June 2021. 

The findings of these reports highlight the need for both brokers and owners to take steps to bolster their security position. A sentiment shared by aggregator firm Connective group’s counsel Daniel Oh earlier this month who noted that industry should become more vigilant. 

“Attacks like these can lead to many serious consequences, like theft of funds and exposure of private and confidential client identity and financial data,” he said.

“This is why brokers need to arm themselves with all the tools available to avoid a worst-case scenario.

“Brokers have been incredibly resilient and adaptable in recent times managing significant change.

“Whether it be increased compliance with best interests duty, accelerated digital transformation, or managing ongoing lockdowns, brokers have responded well – but we are seeing evidence that proactively managing cybersecurity risk has either dropped down the list of priorities, or is not even on the radar for some brokers amongst so much other change.”

[Related: Momentum launches new cyber-security podcast]