The Australian Cyber Security Centre has just released its Annual Cyber Threat Report 2024–25 — The findings apply to everyone — from individual consumers and SMEs to large enterprises and critical infrastructure operators.
This year’s report paints a clear picture: cybercrime in Australia isn’t just growing, it’s getting smarter, faster, and more personal.
Here are the key findings of the report
First:
Identity fraud remains the most frequently reported cyber-crime in Australia.
Phishing and social-engineering attacks featured in roughly 60% of all incidents the ACSC investigated. That means human error — not technology — continues to be the single biggest entry point for attackers.
Second:
Denial-of-Service attacks — or DDoS — have surged. The ACSC responded to more than 200 incidents this year, a 280% jump compared to last year.
A DDoS attack works by overwhelming a website or online service with fake traffic until it crashes — like hundreds of thousands of people trying to push through a single door at once. Attackers often use these floods of traffic to distract IT teams or hide a deeper intrusion happening elsewhere in the network.
Third:
State-sponsored actors remain a major strategic concern. The report calls out persistent targeting of Australian networks — especially those tied to government, energy, telecoms, and transport. These aren’t random hacks; they’re long-term campaigns designed to gather intelligence or prepare for future disruption.
Fourth:
Legacy and “edge” devices — things like routers, firewalls, and VPN gateways — continue to be soft targets. When attackers exploit these systems, they can bypass corporate defences entirely. And in some cases, Chinese-manufactured home Wi-Fi routers have been hijacked into global botnets — turning remote-worker networks into stepping stones for corporate breaches.
Finally:
Emerging technology brings new risks. Adversaries are already using Generative AI to craft realistic phishing messages and fake customer interactions, and the ACSC warns that organisations should start preparing for post-quantum cryptography — the next frontier in data protection.
How to Act — Top 3 Takeaways
1. Harden the basics.
Strong, phishing-resistant multi-factor authentication, regular patching, and unique passphrases remain the most effective defences. These simple steps stop the majority of attacks.
2. Know your crown jewels.
Map and protect the data, systems, and vendors that matter most. Most breaches start in third-party environments — so vendor security reviews and least-privilege access are critical.
3. Assume breach and monitor.
Operate as if attackers are already inside your network. Invest in logging, detection, and incident-response drills so your team can act fast when something goes wrong.
Closing thought:
The ACSC report makes it clear — Australia’s cyber threat environment is accelerating, but the fundamentals of defence haven’t changed. If you lead IT, now is the time to tighten controls, educate teams, and patch the routers at home as carefully as the servers in the data centre.
Thanks for listening. This podcast was produced by a human and narrated by me, an AI. If you found it useful, follow and share. Full links and resources at Coffeehouse.studio or in the show notes.
