Cyber security – an ever-growing issue

17 October 2025

Alexandra Wedutenko
Partner
Sparke Helmore Lawyers

Alexandra Wedutenko
Partner
Sparke Helmore Lawyers
t: +61 2 6263 6378

Alexandra is a member of the Government team and advises on technology, data protection and the acquisition of services where availability and security are critical. She is recognised in Best Lawyers and Chambers for her expertise in government and technology. In these roles Alexandra also advises on governance, performance frameworks and regulatory compliance. Alexandra has particular expertise in negotiating complex contracts and finding solutions to problems.

Adam Payne
Special Counsel
Sparke Helmore Lawyers

Adam Payne
Special Counsel
Sparke Helmore Lawyers
t: +61 2 9260 2410

Adam is an experienced commercial, technology and privacy lawyer.

On 14 October 2025, the Australian Signals Directorate (ASD) and Australian Cyber Security Center (ACSC) published their Annual Cyber Threat Report 2024-2025.

While the results overall won’t be a surprise for those who keep up with the many breaches reported in the media, the report is sobering reading. In FY2024–25, ASD’s ACSC received over 42,500 calls to the Australian Cyber Security Hotline, a 16% increase from the previous year. ASD’s ACSC also responded to over 1,200 cyber security incidents, an 11% increase. During FY2024–25, ASD’s ACSC notified entities more than 1,700 times of potentially malicious cyber activity – an 83% increase from last year – highlighting the ongoing need for vigilance and action to mitigate against persistent threats.[1]

Some of the trends of most concern are:

the average self-reported cost of cybercrime per report for all business is up by 50% - for large business, the figure is a 219% increase – perhaps
Denial of Service (DoS) and Distributed Denial of Service (DDoS) incidents increased 280% from last year, with a large number of these attacks being directed as critical infrastructure and government targets
the number of cyber security incidents responded to by the ACSC increased by 11% from last year.

Government and critical infrastructure remain major targets

As in previous years, Federal Government remains the top target by a wide margin (32%, down from 37% last year), followed by state and local government (14%, up from 12% last year).

Of note, financial and insurance services moved from 8th in the list in 2024 (4%) to 3rd in the list this year (7%).

Health care and social assistance (6%) and information media and telecommunications (6%) round out the top five target segments.

Critical infrastructure (CI) remains a top target for a range of attackers – state-sponsored cyber actors, cybercriminals and hacktivists – a key part of the rational and importance of the Security of Critical Infrastructure Act 2018 (Cth). For responsible entities of critical infrastructure, the ACSC has existing guidance and support available – CI Fortify the Critical Infrastructure Uplift Program (CI-UP) – to protect against cyber risks and mitigate the potential harm of a service disruption. CI hold sensitive data and are critical to support Australia’s sovereignty. As noted in the report CI often relies on complex information technology and operational technology networks, with complex supply chains. While these networks allow CI responsible entities to deliver services to the Australian people, they also present an ever-growing attack surface, which includes both the responsible entity themselves and those within their supply chain.

Who is attacking?

It is well known that cybercriminals target Australian individuals and organisations for financial gain, attempting to conduct fraud or extortion through ransomware attacks or data theft. Cybercriminals are also likely to conduct multiple layers of extortion, where they not only encrypt a victim’s network but also steal the data prior to encryption and threaten to release the data if their demands are not met.[2]

Such criminals have become more sophisticated and indeed provide their services for a fee: cybercrime-as-a-service.

Ransomware continues to be lucrative and while education has dropped out of the top 5 reporting sectors in the report, private school children’s parents have been a recent target.

The report also notes the important role of State-sponsored cyber actors. State-sponsored cyber actors conduct operations to serve political and military objectives, including cyber espionage, malign influence, interference and coercion, or to pre-position for disruptive and destructive cyber effects in the event of crisis or conflict. State-sponsored cyber actors routinely target Australian government networks for cyber espionage purposes. Government and defence-related information is an attractive target for state-sponsored cyber actors seeking strategic insights into Australia’s national policies and decision-making

Where are you vulnerable?

While cyber attackers may be sophisticated, they also target common vulnerabilities. For example, they look for a weak link in an IT supply chain, engage in phishing, smishing, quishing to steal personal information to use those stolen credentials to gain access to networks or accounts.

They exploit vulnerable edge devices and software. Edge devices connect a private network, such as your home or work, with a public, untrusted network like the internet. The most common edge devices used include home and enterprise routers, firewalls and virtual private network (VPN) products.[3] They also target old IT, called legacy IT, where software and equipment are at the end of their life and are no longer supported by the original equipment manufacturer/software vendor.

Cyber attacks can be highly effective with even limited technical knowledge on the part of the attacker in the case of social engineering attacks. The ACSC reported that 38% of reported incidents involved social engineering as an initial access technique. Programs to train and support vigilance of personnel is a key security issue.

Resilience - ACSC’s 4 key actions

For organisations, the ACSC identifies four key actions:

Implement effective event logging – effective event logging can be critical for the detection and investigation of an incident. A more efficient investigation can mean lower investigation costs, and potentially also reduce the degree of loss or harm arising from an incident by increasing the speed in which remediation activities can occur.
Manage legacy IT risks – legacy IT that is no longer properly supported can be a major source of risk.
Choose secure and verifiable technologies – the ACSC notes that ‘The procurement of any digital product or service increases the attack surface of an organisation’s information environment’. Technology and service procurement requires proper due diligence (including in particular IT security assessments) and ongoing contract management and governance.
Start preparing for post-quantum cryptography – advances in quantum computing may in the relatively near future break a number of commonly-used encryption algorithms (with the result that the owner of the computer can unlock and read previously encrypted data without the encryption key). Certain encryption algorithms have been identified which are unlikely to be broken by quantum computers, so organisations should be planning on implementing these algorithms. Want to know more? Click here to read a longer article on this issue.

To target areas of common vulnerability in internet-connected information technology networks, the ACSC recommends organisations implement the eight mitigation strategies from its publication Strategies to mitigate cybersecurity incidents known as the Essential Eight. The Essential Eight are:

patch applications
patch operating systems
multi-factor authentication
restrict administrative privileges
application control
restrict Microsoft Office macros
user application hardening
regular backups.

The ACSC has established an Essential Eight Maturity Model to guide organisations on the levels of implementation of the Essential Eight (from Maturity Level 0 to 3). While non-corporate Commonwealth entities are required to achieve maturity level 2 under the Essential Eight Maturity Model,[4] the ACSC strongly encourages all organisations adopt the Essential Eight Maturity Model.

The ASD Annual Cyber Threat Report 2024-2025 is available here.

[1] Page 1, Annual Cyber Threat Report 2024-2025: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025

[2] See p18, Annual Cyber Threat Report 2024-2025: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025

[3] See pp 35-36, Annual Cyber Threat Report 2024-2025: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025

[4] Section 14.2, Australian Government Protective Security Policy Framework (Release 2025).

17-10-2025 | Special update - Road Transport and Other Legislation Amendment (Micromobility Vehicles and Smartcards) Bill 2025

16-10-2025 | Sparke Helmore's MAD (Motor Accidents Division) - Issue 143

16-10-2025 | Do you have a post-quantum cryptography roadmap - Is your encrypted data safe?

15-10-2025 | Inquiry into quality of governance of higher education providers

15-10-2025 | The test to set aside a previous settlement agreement - State of New South Wales v LSR3

14-10-2025 | (Re)Insurance and Regulation Focus - fortnight commencing 13 October 2025

Media room