Cybercrime attack number expected to double in the next five years


On average, Australia is hit by a cyber attack every two minutes, with experts expecting the number to double in the next five years.
Harrison Ford starred in the 2006 movie, Firewall, directed by Richard Loncraine. | LLUIS GENE/AFP via Getty Images

In 2021, Australia experienced 745 cyber attacks per day, or one every two minutes, a 14% jump in the number of attacks reported in 2020.

According to AustCyber’s Digital Census 2022, 75% of cyber attacks against Australian organisations are not reported to the Australian Cyber Security Centre (ACSC).

Unreported cyber attacks decrease national security and can cause more severe disruption to victims, the report says, and the number of cyber attacks is expected to double over the next five years. Experts believe that geopolitical tensions and ransomware will be the key drivers of an increasing number of attacks.

Stone & Chalk Group and AustCyber CEO Michael Bromley and AustCyber* Group Executive Jason Murrell sat down with Forbes Australia ahead of Cyber Week 2022 to discuss where Australia is placed in the global fight against cyber attackers.

“The truth is cybersecurity knows no borders, no state lines, it doesn’t discriminate,” says Stone & Chalk’s Bromley. “It must be co-ordinated and driven from a position of co-operation, whether that be from states, federal government or independent corporations or small bodies like us.”

Jason Murrell, AustCyber Group Executive says, “We can do more. I don’t think we are doing enough to protect data. We have to have the conversations and work out what mechanisms we can put in place to protect data.

“The cyber criminal only needs to be right once. The company can protect themselves against a million things that might be known, but if they get it wrong once from a defensive point of view, [the cyber criminals] are in. The big telcos and banks, they are getting peppered thousands of times a minute, it is constant.”

Murrell says that often when cyber security incidences happen, many companies go into shutdown mode and try to fix it “behind the curtains”.

Jason Murrell | Image source: Supplied

“They don’t share any of the learnings. What we need is for companies to explain the lessons they learned and share that collectively so we all get better,” he says.

The pair discuss how some companies are not doing enough and other companies are doing as much as they can and trying to cover all bases. However, they admit that “there is no one way of getting it right”.

Bromley says, “Because you can’t be 100% safe does not mean you don’t try. In the case of cybersecurity, there are thousands and thousands of times when cybersecurity does work. That’s not what people get to hear about. We have solved a lot of it, and we will continue to do that. We will continue to be vigilant and continue to work progressively forward on that arms race. This is not new. It is how people have been bad to people since the beginning of time. The bottom line is, you are never safe from anything 100% but you learn to take protective and preventative measures and those measures get stronger and stronger, and you continue to do that. That is what we have to do as a country.”

Murrell says that with regard to solutions, Australia is “about five years behind other countries globally”, with some of the standout countries including the UK and Israel.

“There’s a lot of lessons we can learn,” Murrell says. “We could be one minute away from someone finding the next cybersecurity solution; it could be the next idea, the next invention, the next startup. It seems all consuming because it is in the news, and always comes from a negative point. Positive action could be part of the answer. When people are listening, we can get the message out that they might go and get a password manager or do something that can make things safer.”

Michael Bromley | Image source: Suppled

Bromley says, “Typically we have seen large corporations pass the buck for their own inability to act appropriately and pass that onto consumers. I don’t want to see that again … You need to hit it from the top down and the bottom up. There isn’t a pass-the-buck opportunity here. There is an opportunity to get better from both perspectives. Consumers do need to be better educated and understand the risks and be more vigilant and aware. It’s part of a solution. At the same time, corporations have to be more vigilant, they have to be more secure and concerned with their clients and customers data. There is no magic bullet here.”

Murrell says there are three things that people can do in a holistic approach:

  • Use a password manager and recognise the importance of a strong password
  • Use multifactor authentication
  • Deploy updates as soon as they become available (often the patching is for a security vulnerability)

In the case of a ransomware attack, if you have backed up to a secure cloud or external device, then you can go and download your data from your external device and carry on, Murrell says.

Social engineering and phishing attacks require education and awareness a,nd Bromley says that people should understand that there is some data they do not have to hand over. “We do it to be polite, or out of a sense of obligation. It is not always necessary and should be challenged. Often it can be purely for marketing purposes. You have a right to ask what the information is being used for, is it necessary and you have a right to decline.

“Threats are increasing worldwide and we are still lagging as a country. That’s a critical piece and that’s partly the skills, partly the labour, but it is also the will and the investment,” Bromley says.

“Stronger cybersecurity is fundamental, and it has to be baseline for us from a business or social point of view. It can’t be an afterthought or a bolt-on. We need more ecosystem builders. We need more people, not picking individual winners but helping float all the boats by building a stronger base, a stronger platform to work from so that more homegrown cyber capability can be developed and utilised in Australia. Because that removes a tremendous amount of international breadth from bad actors who can mask where they are really coming from. If homegrown cybersecurity is the safest, and it is, then we need to be doing more to promote that in this country.”

*AustCyber was merged into Stone & Chalk in 2021.


The Australian Cyber Security Centre (ACSC) answered over 25,000 calls to the Australian Cyber Security Hotline for advice and assistance – an average of 69 calls per day, and an increase of 15% from the previous financial year, according to the SMB cyber security report that was released on Friday 11 November 2022, by global cyber security firm ESET.

Financial losses due to business email compromise (BEC) increased to over $98 million, with an average loss of $64,000 per report.

Fraud, online shopping and online banking were the top reported cybercrime types, accounting for 54% of all reports. All sectors of the Australian economy were impacted by ransomware incidents, with the average cost per report increasing 14% compared to last financial year.