Date posted: 20/03/2024 5 min read

5 lessons from businesses hit by cyber attacks

Accounting firms need to adopt a clear cyber strategy to counter growing threats.

Quick take

  • The latest cyber report from the Australian Signals Directorate reveals cyber attacks and related costs are on the rise.
  • Business email compromise is the greatest threat facing firms.
  • Vigilance with software patches and other cybersecurity measures can protect firms from reputational and financial damage.

The ASD Cyber Threat Report 2022–2023, released by the Australian Signals Directorate (ASD), paints a dismal picture for the nation’s governments, critical infrastructure, businesses and households, as they increasingly become the target of malicious cyber actors.

Here are the top five insights from the report that you and your firm should be aware of.

1. The number of reported cyber incidents increased by 23% in one year. Business email compromise was the top crime. Business email compromise occurs when a hacker tricks a staff member or the firm’s client or supplier into redirecting payments to a hacker’s bank account. It accounted for almost A$80 million in self-reported losses at an average of A$39,000 per incident. The ASD report advises firms to be aware of any changes in invoice details, such as a new email address or bank details, and to call an existing contact to verify such variations. Clawing back money lost may be possible if the incident is reported to ASD’s ReportCyber within 24 hours, according to the Australian Federal Police.

2. Recovery costs from a cyber incident increased by 14%. Surprisingly, medium-sized businesses incurred the highest average recovery cost of A$97,200, followed by large businesses (A$71,600) and small businesses (A$46,000). Ransomware remained the most destructive cybercrime threat and comprised 10% of all incidents. Accounting firms Nexia Melbourne and PKF Perth have both been victims. Thanks to offline backups, Nexia emerged unscathed, but PKF Perth was forced to inform clients as one of its directories had been encrypted.

3. Updating (or patching) software should be done within two weeks of an update being made available by the vendor, or within 48 hours if an exploitation in the software has been exposed. Hackers were successful in exploiting a software’s weakness within 48 hours 21% of the time, and within two weeks 30% of the time. After two weeks, they had a 49% success rate. Internet software and apps are key targets for hackers. The ASD recommends disabling any unnecessary internet-connected devices, using a reputable cloud service provider that provides regular updates, strengthening access controls, enforcing network separation, and closely monitoring systems for anomalous activity.

4. The ASD’s Essential Eight remains the best line of defence against a cyber attack. Implementing the Open Web Application Security Project’s (OWASP) Top Ten Proactive Controls will also help protect your firm’s data. The ASD recommends scanning for vulnerabilities and applying patches every fortnight, at a minimum. In early 2023, the Shire of Serpentine Jarrahdale in Western Australia missed a patch on its remote work server and experienced an attack as a result. In the ASD report, a shire representative said the cyber attack would not have happened had the team strictly adhered to the Essential Eight.

5. A well-rehearsed cyber incident response plan will reduce costs and reputational damage in the event of a breach. A plan gives firms a playbook on how to respond to a cyber incident, when and how to notify clients and authorities, the process for restoring data, and who is responsible for making key calls such as a ransom payment. Anu Kukar CA, Accenture’s cyber strategy lead, recommends testing your plan regularly and considering a retainer-style arrangement with a cyber response team. The ASD can also provide immediate assistance and work closely with response teams.

Find out more:

Did you know CA ANZ has its own CA Cyber Checklist for SMEs? The playbook includes tools and strategies to improve your firm’s cyber resilience.