IronSights
All insights

threat intelligence

ACSC Cyber Threat Report 2023-24: Key Findings for Australian Business

The ASD's Annual Cyber Threat Report provides the most authoritative public picture of the cyber threat landscape facing Australian organisations. The 2023-24 report includes several findings with direct implications for small and mid-sized businesses.

Ryan BallootBy Ryan Balloot, Managing Director22 August 20241 min read
ByRyan Balloot22 August 20241 min read

The 's Annual Cyber Threat Report is the most authoritative public source on the cyber threat environment facing Australian organisations. Published annually, it draws on incident data, intelligence reporting, and industry engagement to characterise the threats businesses and government agencies actually face.

Self-Reported Cybercrime Losses

The 2023-24 report noted that cybercrime cost Australian businesses and individuals over $3.1 billion in self-reported losses during the period. remained the category with the highest average financial loss per report. reports to the ACSC increased compared to the prior year.

The Critical Infrastructure Targeting Trend

State-sponsored actors continued to conduct and pre-positioning operations against Australian critical infrastructure. The ACSC noted that these actors prioritise establishing persistence that could be activated during future geopolitical tensions. While this threat is most directly relevant to infrastructure operators, the supply chain implications affect technology vendors and service providers across many sectors.

Vulnerability Exploitation Speed

The report highlighted the continued compression of the time between public disclosure and active exploitation. Vulnerabilities in internet-facing systems — particularly network appliances, VPN gateways, and remote access tools — are being exploited within hours of public disclosure in some cases. This reinforces the patching timeframes as a floor, not a target.

Recommendations That Map to Essential Eight

The ACSC recommendations in the report align closely with Essential Eight controls: enforce , patch promptly, implement application control, restrict admin privileges, and maintain tested backups. The consistency across years of ACSC advice reflects the reality that the most significant risk reduction comes from these foundational controls, not from more sophisticated measures.

Keep reading

More from the IronSights team.