The 's Annual Cyber Threat Report is the most authoritative public source on the cyber threat environment facing Australian organisations. Published annually, it draws on incident data, intelligence reporting, and industry engagement to characterise the threats businesses and government agencies actually face.
Self-Reported Cybercrime Losses
The 2023-24 report noted that cybercrime cost Australian businesses and individuals over $3.1 billion in self-reported losses during the period. remained the category with the highest average financial loss per report. reports to the ACSC increased compared to the prior year.
The Critical Infrastructure Targeting Trend
State-sponsored actors continued to conduct and pre-positioning operations against Australian critical infrastructure. The ACSC noted that these actors prioritise establishing persistence that could be activated during future geopolitical tensions. While this threat is most directly relevant to infrastructure operators, the supply chain implications affect technology vendors and service providers across many sectors.
Vulnerability Exploitation Speed
The report highlighted the continued compression of the time between public disclosure and active exploitation. Vulnerabilities in internet-facing systems — particularly network appliances, VPN gateways, and remote access tools — are being exploited within hours of public disclosure in some cases. This reinforces the patching timeframes as a floor, not a target.
Recommendations That Map to Essential Eight
The ACSC recommendations in the report align closely with Essential Eight controls: enforce , patch promptly, implement application control, restrict admin privileges, and maintain tested backups. The consistency across years of ACSC advice reflects the reality that the most significant risk reduction comes from these foundational controls, not from more sophisticated measures.



