The ASD's Annual Cyber Threat Report is the most authoritative public source on the cyber threat environment facing Australian organisations. Published annually, it draws on ACSC incident data, intelligence reporting, and industry engagement to characterise the threats businesses and government agencies actually face.
Self-Reported Cybercrime Losses
The 2023-24 report noted that cybercrime cost Australian businesses and individuals over $3.1 billion in self-reported losses during the period. Business email compromise remained the category with the highest average financial loss per report. Ransomware reports to the ACSC increased compared to the prior year.
The Critical Infrastructure Targeting Trend
State-sponsored actors continued to conduct reconnaissance and pre-positioning operations against Australian critical infrastructure. The ACSC noted that these actors prioritise establishing persistence that could be activated during future geopolitical tensions. While this threat is most directly relevant to infrastructure operators, the supply chain implications affect technology vendors and service providers across many sectors.
Vulnerability Exploitation Speed
The report highlighted the continued compression of the time between public vulnerability disclosure and active exploitation. Vulnerabilities in internet-facing systems — particularly network appliances, VPN gateways, and remote access tools — are being exploited within hours of public disclosure in some cases. This reinforces the Essential Eight patching timeframes as a floor, not a target.
Recommendations That Map to Essential Eight
The ACSC recommendations in the report align closely with Essential Eight controls: enforce MFA, patch promptly, implement application control, restrict admin privileges, and maintain tested backups. The consistency across years of ACSC advice reflects the reality that the most significant risk reduction comes from these foundational controls, not from more sophisticated measures.
