ASD Cyber Threat Report key findings

Developed by the Australian Signals Directorate (ASD), the ASD Cyber Threat Report 2022-2023 reveals the top cyber threats and cyber security incidents affecting Australia.  

The report offers practical advice and guidance for Australian entities to enhance cyber resilience and protect data and assets. 
Key findings: 

  • Around 34% of data breaches involved exploitation of internet-facing applications 

  • Publicly reported common vulnerabilities and exposures (CVEs) increased 20% 

  • Ransomware remains the most destructive cybercrime threat to Australians. But other forms of cybercrime: business email compromise (BEC), data theft, and denial-of-service (DoS) continue to have significant impact. 

Evolving criminal tactics and an increase in cybersecurity incidents 

Abi Bradshaw, Head of the Australian Signals Directorate's Australian Cyber Security Centre, said while cybersecurity capabilities and awareness in Australia improved over the last year, the cyber threats and tactics of malicious cyber actors continue to evolve. 

Over the past 12 months, approximately 94,000 reports were made through ReportCyber, an increase of 23% from the previous year. 

"On average one report is made every six minutes, an increase from one report every seven minutes the previous year."
ASD Cyber Threat Report 2022-2023 

Along with an increase in the volume of incidents, the average self-reported cost of cybercrime to businesses increased by 14% to: 

  • $46,000 for small businesses 

  • $97,200 for medium businesses 

  • $71,600 for large businesses 

For Australian businesses, the key threats were email compromise, business email compromise and online banking fraud. 

Breakdown of cybercrime reports by jurisdiction:

Growing threat to critical infrastructure  

The targeting of critical infrastructure persisted worldwide during 2022–23. Malicious threat actors exploited both old and new vulnerabilities to infiltrate networks, launch ransomware attacks and carry out other nefarious deeds. 

The ASD Cyber Threat Report outlines a February 2023 incident when an Italian energy and water provider was affected by ransomware. The ransomware attack targeted older and unpatched software, exploiting a two-year-old vulnerability. Reportedly it took the provider four days to restore systems.  

"During FY 2022–23, Australian critical infrastructure networks regularly experienced both targeted and opportunistic malicious cyber activity. Activity against these networks is likely to increase as networks grow in size and complexity."
ASD Cyber Threat Report 2022-2023

The most prevalent threats included compromised accounts and credentials, compromised assets, networks, or infrastructure and denial-of-service attacks (DoS). ASD responded to 79 incidents involving DoS and distributed denial-of-service (DDoS), more than double the 29 incidents reported in the previous financial year. 

Top 10 incident reporting sectors: 

Email compromise and fraud are top threats to business 

Almost $80 million in losses due to business email compromise fraud was self-reported to ReportCyber during 2022–23. The average loss exceeded $39,000 per incident. 

The ASD recommends organisations: 

  • implement clear policies and procedures for workers to verify and validate requests for payment and sensitive information 

  • register additional domain names to prevent typo-squatting – cybercriminals have been known to create misleading domain names based on common typographic errors of a website 

  • set up email authentication protocols for business domains  

  • refer to the ASD Preventing Business Email Compromise guide

Ransomware remains the most destructive cybercrime threat  

ASD documented 118 ransomware attacks, accounting for approximately 10% of all cyber security incidents. Ransomware continues to pose the most destructive cybercrime threat to Australian entities. 

Top 5 sectors reporting ransomware-related incidents:

ASD recommends against paying ransoms, warning that there is no guarantee cybercriminals have not already sold the data before demanding a ransom, or that they won’t after a ransom is paid. 

The ASD offers further information in its guide: How the ASD's ACSC Can Help During a Cyber Security Incident

"A quarter of the ransomware reports also involved confirmed data exfiltration."
ASD Cyber Threat Report 2022-2023

Timely OS patching is essential 

The number of published common vulnerabilities and exposures (CVEs) is increasing. Timely patch management reduces the window of opportunity for cyber actors to exploit vulnerabilities.  

"One in five critical vulnerabilities was exploited within 48 hours."
ASD Cyber Threat Report 2022-2023

Even though over 90% of CVEs have a patch or mitigation advice available within two weeks of public disclosure, half of the vulnerabilities were exploited within two weeks, and two in five vulnerabilities were exploited more than a month after a patch or mitigation advice was released. 

ASD recommends organisations: 

  • use an automated method to scan for security vulnerabilities at least fortnightly 

  • patch, update or otherwise mitigate vulnerabilities in online services and internet-facing devices within 48 hours when vulnerabilities are assessed as critical by vendors or when working exploits exist 

  • with limited cybersecurity expertise, who are unable to patch rapidly, use a reputable cloud service provider or managed service provider that can help ensure timely patching. 

Automated device management tools like Devicie provide peace of mind by consistently applying controls, automating OS patching and application updates and more. The workload of busy security and IT professionals is reduced, allowing them to focus on other pressing tasks.  

Cyber hygiene is key for effective defence  

Basic device management and adoption of recommended frameworks positions organisations well to harden security.  

ASD urges organisations to: 

  • Subscribe to ASD Alerts 

  • Select reputable cloud and managed service providers who uphold appropriate cyber security measures 

  • Test cyber security plans regularly 

  • Regularly review the cyber security posture of remote workers 

  • Train staff on cyber security and scam recognition 

  • Report incidents to  ReportCyber, or by calling the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371). The hotline is available 24 hours a day, ReportCyber, or by calling the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371). The hotline is available 24 hours a day, seven days a week.  

In tandem with implementing basic security hygiene measures, ASD recommends businesses adopt Essential Eight Maturity Model and architects and developers implement OWASP Top Ten Proactive Controls.  

Cybersecurity is an ongoing battle 

The ASD Cyber Threat Report for 2022-2023 paints a vivid picture of escalating cyber threats in Australia. Cybercriminals continuously evolve their tactics to exploit vulnerabilities.  

By prioritising cyber hygiene and implementing recommended strategies and controls, businesses can significantly enhance their resilience against common cyber threats. 

Glyn Geoghegan   

Cyber security practices for small and medium-sized businesses

Don't let budget constraints hinder your business's cyber security efforts. Make strategic investments, build on existing knowledge and implement practical steps to build a robust digital defence. 


Securing your endpoints is critical for defence in depth

A look at why neglecting endpoint security could be a costly oversight. Jason Fairburn details how to strengthen your defence in depth strategy and prevent initial breaches.

Martin McGregor

Why organisations are failing to close the gap on ransomware

Despite ransomware being a prevalent global threat, many businesses fail to have sufficient ransomware protection or the measures to address it effectively.