The Australian Institute of Criminology releases report on Cybercrime in Australia 2023. Underlines what is well understood by those in the privacy and cyber security field, that the situation is bad and getting worse.

June 29, 2023 |

Another report stating what has long been understood by those involved with cyber security and privacy law; cybercrime is a chronic problem that is getting worse. The Report covers a broader range of cyber crimes including on line abuse and harassment, which was 27% of the reported cyber crimes in in the survey.The Report by the Australian Institute of Criminology makes for sobering reading. It is a comprehensive report, at 113 pages.

The harms from cyber crime are significant.  That makes it all the more concerning that there is such poor education on how to recognise some forms of cyber crime, such as ransomware and fraud and cyber scams.  The loss to business from data breaches puts into sharp relief the need for individuals and businesses to maintain proper cyber defences.  The lax state of affairs is as much due to poor regulation and enforcement as it is on poor education.

The Abstract provides:

This is the first report in the Cybercrime in Australia series, which aims to provide a clearer picture of the extent of cybercrime victimisation, help-seeking and harms among Australian computer users. It is based on a survey of 13,887 computer users conducted in early 2023. In the 12 months prior to the survey, 27 percent of respondents had been a victim of online abuse and harassment, 22 percent had been a victim of malware, 20 percent had been a victim of identity crime and misuse, and eight percent had been a victim of fraud and scams. Overall, 47 percent of respondents experienced at least one cybercrime in the 12 months prior to the survey—and nearly half of all victims reported experiencing more than one type of cybercrime. Thirty-four percent of respondents had experienced a data breach. Cybercrime victimisation was not evenly distributed, with certain sections of the community more likely to have been a victim, and certain online activities associated with a higher likelihood of victimisation.

Most cybercrime victimisation went unreported to police or to ReportCyber, meaning official statistics significantly underestimate the size of the problem. Satisfaction with the outcomes of these reports was mixed, and relatively few reports resulted in an offender being apprehended. Rates of help-seeking varied and were influenced by the perceived seriousness of cybercrime and knowledge of how and where to report it.

The financial losses experienced by victims were wide ranging. Some victims reported losing large sums of money, but most victims reported relatively small financial losses. This report measures, for the first time, the harms experienced by individual victims and small businesses that extend beyond these financial costs. Twenty-five percent of respondents were negatively impacted by cybercrime in the 12 months prior to the survey, while 22 percent of respondents who owned or operated a small to medium business said their business was negatively impacted by cybercrime.

The Scope of the report was described in these terms:

The focus of this report is on cybercrime, rather than cybersecurity events, although the two are not mutually exclusive. The latter is defined by the ACSC (2023: np) as ‘an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security’. Cybersecurity victims tend to be governments and business, and the target is usually a computer network, software or hardware. Some of these crimes, such as malware, are covered in this report. While the Australian Cybercrime Survey measures crime against individuals, some of these individuals may own or operate a business, and respondents
could report cybercrime on a personal or work device.a Further, cybercrime experienced by individuals may be a direct consequence of a cybersecurity incident, such as where a data breach targeting an organisation leads to identity crime and misuse against the customers.
The types of cybercrime covered by this report fall into four broad categories:
• Online abuse and harassment—online communication to or about an individual which may cause them emotional distress. This includes behaviours such as sending abusive messages, image-based abuse, setting up fake social media accounts to harass someone or stalking someone using a phone or other device.
• Malware—short for ‘malicious software’, this refers to software specifically developed and used to harm a computer system or network. It is used to gain access to a computer and can be used to steal confidential information.
• Identity crime and misuse—incidents where a person’s personal information is obtained or used without their permission. A perpetrator could pretend to be the person, to carry out a business in their name without their permission, or for some other type of activity or transaction.
• Fraud and scams—involve intentionally deceiving someone to obtain money or something else of value, such as personal information.

Except for malware, these are crimes that can also occur offline. To be included in this report, the incident must have involved a digital device, computer network or other forms of ICT.

In terms of victims of the cyber crime the survey found:

  • Younger respondents were consistently more likely to report having been cybercrime
    victims than their older counterpajrts.
  • Men were more likely than women to be the victim of fraud and scams and online abuse
    and harassment.
  • For each of the four types of cybercrime, First Nations respondents were significantly more
    likely than non-Indigenous respondents to become a victim.
  • Respondents who identified as LGB+ (lesbian, gay, bisexual or other non-heterosexual
    orientation) were significantly more likely than heterosexual respondents to have been a
    victim of online abuse and harassment and malware.
  • Respondents who mainly spoke a language other than English at home were more likely to
    have been a victim of malware, identity crime and misuse, and scams and fraud.
  • Respondents with a restrictive health condition were more likely than other respondents to
    have been a victim of each type of cybercrime.
  • Respondents currently in a relationship were less likely than respondents not in a
    relationship to be a victim of online abuse and harassment.
  • Respondents with children living at home were more likely to have been a victim of identity
    crime and misuse than respondents without children.

Regarding Data breaches the Report stated:

Recent data breaches—which are known to have affected millions of Australians—have thrust cybercrime into the public spotlight. The observation period for the survey includes the period in which the customer databases of Optus and Medibank were breached. The Latitude Financial data breach was reported in the days after the completion of data collection, and it is unlikely that respondents would have been aware of it when they completed the survey.
Overall, one in three respondents (33.6%) had their financial or personal information exposed in a data breach in the 12 months prior to the survey. An earlier survey of 14,994 respondents, conducted in mid-2021, found only 9.3 percent of respondents had been notified of a data breach (Morgan & Voce 2022). While the current survey did not specify whether respondents had been notified of a data breach, they were asked how they discovered the data breach. The majority (79.6%) said they were notified by the
company whose data was leaked or by a government or financial agency, meaning that 26.7 percent of respondents had been notified of a data breach—a threefold increase on the previous survey.
Data breaches were not included in the prevalence estimate for identity crime and misuse. However, victims of identity crime and misuse may identify these breaches as the way in which their personal information was obtained. Indeed, according to McAlister et al. (2023), one in seven (14.4%) identity crime and misuse victims said that, in the most recent incident, their information was obtained during a data breach. These breaches have been shown to significantly increase the likelihood of identity theft, online scams and fraud and ransomware (Morgan & Voce 2022). The high number of data breaches—likely compounded by further breaches in early 2023, after data collection had been completed—demonstrates
the importance of proactive prevention strategies.

Regarding Ransomware the Reprot stated:

Ransomware continues to be a major concern. While significant attention has been given to ransomware attacks against companies that have been a target of a mass data breach, as well as critical services and infrastructure, ransomware can also impact individual computer users.
For the purpose of the survey, ransomware victimisation was defined as experiencing signs of a malware attack, usually encryption, along with demands of payment to restore functionality; to restore access to systems, devices or files; or to prevent data or information from being leaked or sold online. Based on this definition, 2.4 percent of respondents (n=331) had experienced this kind of ransomware victimisation in the 12 months prior to the survey.
More than half of ransomware victims reported their devices, servers, service or networks were disrupted (eg slowed down, lost connection, had outages) and they received instructions for paying a ransom to restore functionality (n=203, 1.5% of all respondents). Others reported that their systems, devices or files had a virus or were inaccessible (eg locked or unreadable) and that they had received instructions for paying a ransom to restore access (n=154, 1.1% of all respondents). Further, 11.7 percent of ransomware victims (n=39, 0.3 percent of all respondents) said they had been extorted for payment to prevent the data being leaked or sold online, a practice known as ‘double extortion’.
However, not all respondents who said they had received a ransom message said their device had been encrypted or disrupted. A further 2.4 percent of respondents said they had received a ransom message in the 12 months prior to the survey that said their data had been stolen and they had to pay to prevent the information being sold or leaked online, but did not report their device as having been disrupted or compromised. These may be true ransomware attacks where the data have actually been stolen, or fake attacks in which malicious actors pretend to have stolen data to demand payment. Overall, 4.8 percent
of respondents received a ransom message on their device demanding payment in the 12 months prior to the survey (with or without device disruption or compromise). This was higher than the estimated 2.1 percent of respondents who received a ransom message on their device in a 2021 survey (Voce & Morgan 2021).

The Report had some very interesting insights into the impact of cyber crime on small to medium sized businesses stating:

This study has highlighted the effects of cybercrime on small business owners, operators and managers. Respondents who owned and operated a small to medium business were significantly more likely than other respondents to have fallen victim to cybercrime in the 12 months prior to the survey. This was true for all types of cybercrime measured by the survey. While the survey did not specifically ask whether the cybercrime targeted a work or personal device, for many smaller businesses there may be no such separation.
When they fell victim, small to medium business owners and operators were more likely to have lost money or spent money on consequences and, when they did, they lost larger amounts of money than other victims. Two in five respondents who were small business owners and operators said their business was impacted as a result of cybercrime. Some of these effects—whether they relate to business operations, profitability or reputation—are not easily costed, meaning the businesses likely experienced financial impacts extending beyond those which could be estimated and counted in the survey.
Large corporations and government have access to significant resources for ICT security. Conversely, small to medium businesses may be large enough to have the infrastructure, data holdings (or access to networks of larger organisations) and profits to be attractive targets for cybercrime, but not the resources, expertise and capability to prevent cybercrimes. Despite losing larger amounts of money than other victims, there was little difference in reporting, suggesting that small business owners and operators may be reluctant to report. The effect of cybercrime on small businesses may have flow-on implications, such as for customers who are secondary victims of data breaches, or for larger organisations, if offenders use these smaller businesses in the supply chain to gain access to
their systems and networks.
These results highlight the importance of building the capability of small to medium business operators to prevent cybercrime and ensuring that support for victims is both available and accessible.

Leave a Reply

Verified by MonsterInsights