Each year, the Australian Cyber Security Centre releases its Annual Cyber Threat Report and the latest one (FY 2024-25) confirms what many of us working in IT already suspected: the cyber threat landscape in Australia is increasing in scale, cost and sophistication.
At The Virtual IT Department, we’ve extracted the most relevant insights so you can see what’s changed, where the key risks lie, and what you can do now to strengthen your cyber posture.
Threats & Trends
Cybercrime and state-sponsored attacks are increasing across Australia.
- Over 1,200 cyber incidents were reported to the ACSC this year - up 11% on the previous period.
- The ASD/ACSC received over 84,700 cybercrime reports in FY 2024-25 - that works out to roughly one report every six minutes.
- The average cost of a cyber incident for large businesses now sits at $202,700 - a jump of 219% year-on-year.
What does that mean for business? The upward trend in incidents and cost means that cyber risk is firmly a business-risk issue, not just “IT stuff”.
How the Attacks Are Happening
The report emphasises that attackers are active across multiple fronts. While it doesn’t publish a full breakdown of every entry method (at least not in the public fact-sheet), we do know:
- The top three self-reported cyber-crimes by businesses were:
- Email compromise resulting in no financial loss - 19%
- Business email compromise (BEC) fraud with financial loss - 15%
- Identity fraud - 11%
- Internet-facing or “edge” vulnerabilities (e.g., in devices, systems exposed to the internet) are flagged in the report as common risk vectors – industry commentary suggests source compromise could be as high as 96% of observed cases.
- AI is now part of the problem: attackers are using it to automate and scale attacks faster than ever.
This data aligns with our lived experience over the last 18months. These are the same gateways we see targeted in real-world environments. That’s why layered security, continuous monitoring, and regular patching matter, not just compliance checkboxes, but core business protection.
Who’s Behind It
The ACSC confirmed that state-sponsored groups from China and Russia remain active in targeting Australian networks and supply chains. It also highlights cyber-crime campaigns (ransomware, data breaches) are increasing and impacting Australia’s economy and social prosperity
It’s not just “big business” in the firing line. Many of these groups use supply chain access to reach smaller organisations — which means even small vulnerabilities can have big consequences.
Recommended Actions
The ACSC’s advice is clear and it aligns closely with what we recommend to our clients:
- Ensure best-practice event logging is in place
- Replace legacy technology or put mitigations in place
- Choose products and services that are secure by design
- Start preparing for post-quantum cryptography... it’s not as far away as it sounds.
On top of that, the broader tone of the report emphasises assume compromise mindset, visibility (logging, monitoring) and managing third-party/supply-chain risk.
If you’re already doing most of these, you’re ahead of the curve. If not, start small and build from there, remember IT is a garden to be maintained, not Lego to be assembled. Every step you can take strengthens your resilience.
A Special Note for Critical Infrastructure
For organisations operating in critical infrastructure sectors (energy, transport, finance, telecommunications etc), the advice is heightened. The factsheet for “Critical Infrastructure” highlights:
- The sector remains a target due to its large volume of sensitive data and essential services.
- The same four key actions (logging, legacy tech replacement, secure by design, post-quantum prep) are emphasised for CI operators.
Even if your business isn’t classed as “critical infrastructure”, the principles carry across: resilience, visibility, supply-chain risk and legacy tech matter.
Final Thoughts
The 2024-25 ACSC report confirms what we at The Virtual IT Department see day-to-day: cyber-threats are not static and they are increasing in frequency, scale and potential impact.
But the good news? The fundamentals still hold. Strong passwords, MFA, updating systems, logging, and managing third-party risk still form the backbone of cyber defence. And starting your journey now means staying ahead.
If you’d like to chat about how these verified findings might affect your organisation or how to map practical steps into your Google/Microsoft/PC/Mac mix, please reach out. We’re here.
Technology should empower impact — not hinder it. Let’s make sure yours does.
*We used AI to speed things up but a real human with coffee and opinions double-checked everything in this blog.
