Australia has yet to suffer a critical, Hollywood-style cyber security incident, according to the nation's top online cop, but our defences are being tested and criminals grow in number.
The rate of cyber attacks against Australian businesses may also be higher than statistics indicate, she warned as small businesses continue bearing the brunt of financial losses.
National Cyber Security Co-ordinator Lieutenant General Michelle McGuinness issued the warnings at the AusCERT Cyber Security Conference on the Gold Coast on Friday, while also promising public consultation to inform future online safety policies.
The event has drawn 900 delegates and comes a month after large superannuation firms were targeted in a co-ordinated online attack and less than a year after 12.9 million Australians had private information stolen in the Medisecure hack.
Despite a growing number of attacks on large Australian organisations including healthcare, telecommunications and legal firms, Lt Gen McGuinness told the audience none had damaged the nation's critical infrastructure or had a lasting impact.
"Australia has seen the dark side of significant cyber incidents such as Optus, Medibank, Latitude Financial, HWL Ebsworth, Ramsay Health Care and Medisecure (but) we are actually yet to see a catastrophic cyber incident with impacts across multiple critical infrastructure sectors," she said.
"We must continue to evolve and thrive to ensure that those scenes we see in Hollywood never actually eventuate."
The most recent high-profile cyber attack in which criminals stole $750,000 from 10 AustralianSuper accounts had been the result of a "credential-stuffing attack", Lt Gen McGuinness confirmed, involving criminals using passwords leaked from another data breach.
Financial losses from the attack were "relatively small" but aimed at a large financial market, she said, and should serve as a reminder for all parties to bolster online defences.
The Annual Cyber Threat Report released in November found Australian cyber crime reports grew by 12 per cent in 2024 and the cost of attacks to individuals grew by 17 per cent to an average of $30,700.
Cyber crime's cost to businesses fell by eight per cent according to the report, but Lt Gen McGuinness said the true cost of online crime was likely to be significantly higher given most Australian businesses were categorised as small and lost an average of $49,600 per incident.
"These businesses don't have the staff and the resources to have dedicated IT professionals or security functions, let alone the capacity to respond to an incident without help," she said.
"Our adversaries also know this."
Australian businesses of all sizes should develop and practise incident response plans to avoid data theft, she said, and should refrain from paying ransoms demanded by criminals if possible to avoid being re-targeted.
The Australian Cyber Security Strategy, launched in November 2023, is due to be updated by 2026 to address a broader range of cyber security investments, and a public consultation will be launched in the coming months.