Cybersecurity 2025

AUSTRALIA Trends and Developments Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis

software upgrades gone wrong as in the case of CrowdStrike-Microsoft Outage in July 2024. Attacks by state-sponsored and independent actors are only set to increase. And the impor - tance of effective cybersecurity laws and protec - tions is becoming ever-more critical. The Australian Signals Directorate’s (ASD) Annu - al Cyber Threat Report for 2023-24 (the “ASD 2023-24 Report”) confirmed that the “top 5” sec - tors reporting cyberthreats remained the same as FY2022-23: federal government, state/local governments, healthcare, and tied fifth were education, professional/scientific services, util - ity services and information/telecommunications services. Yet vulnerabilities beyond these sec - tors cannot be understated. Threat Landscape Victim typologies The ASD 2023-24 Report flagged that the ASD responded to 11,000 cybersecurity incidents and received over 87,400 cybercrime reports (which was, in fact, a drop of 7%). The crime trends differ amongst targets: • for individuals, self-reported cybercrimes comprised identify fraud (26%), online shop - ping fraud (15%) and online banking fraud (12%); • for businesses, it was email compromise (20%), online banking fraud (13%) and busi - ness email compromise fraud (13%); and • for critical infrastructure, it was compromised accounts or credentials (32%), malware infection (excluding ransomware) (17%), and compromised asset, network or infrastructure (12%). With the government’s focus primarily being on critical infrastructure, there remains a growing concern that small businesses are low-hanging

fruit: vulnerable, ill-prepared, and are being increasingly targeted. Yet, most small business - es are exempt from basic statutory obligations such as the Privacy Act 1988 (Cth) (the “Privacy Act”). Immediate resourcing and compliance costs must be weighed against costs and dam - age of potential attacks. Increasing efficiency of attacks Attacks are becoming more efficient and sophis - ticated. This capacity strengthening is due, in part, to AI; however, such developments may also assist countermeasures. In recognition of this double-edged sword, the ASD has pub - lished resources for businesses and govern - ment, including Best Practices for Deploying Secure and Resilient AI Systems. Similarly, the ASD recently confirmed that 2023 saw a rise in zero-day vulnerabilities (ie, exploi - tation of an unknown vulnerability, which devel - opers have had “zero days” to address). Over - all, this emphasises the need for the proactive “stance of ‘when’ not ‘if’ a cybersecurity incident will occur”, as well as a pre-emptive approach such as with the secure by design principles. State-sponsored attacks Regulators noticed: • state-sponsored actors targeting supply chain compromises; • PRC state-sponsored actors’ “increasingly emerging” living off the land (LOTL) tech - niques, “pre-positioning” themselves on or adjacent to critical infrastructure networks “for disruptive effects rather than traditional cyber espionage operations”; and • Russian-sponsored actors adapting their operations to match industry shifts to cloud- based infrastructure.

CHAMBERS.COM