He said corporate Australia was exposed to a broad spectrum of threats, from two-person hacking operations, to the suspected Chinese government-linked hacking group APT10 (Advanced Persistent Threat), members of which are wanted by the US Federal Bureau of Investigations.
The report examined results from a survey of 1894 organisations, more than half of which said they had no cyber security governance.
The report’s findings echo comments made earlier this year by the head of government-funded science body AustCyber, that Australia had become a “testing ground” for hackers trying new kinds of malicious software, as a result of failing to take cyber security seriously.
Mr Connory said it was troubling that among almost 2000 companies – in sectors including finance, health, education, government, manufacturing, technology, professional services and retail – almost 40 per cent did not provide any cyber awareness training to staff.
Further, more than 70 per cent of all data breaches at Australian businesses were caused by human error.
In June it was revealed China was the key suspect in the theft of 19 years’ worth of highly sensitive personal data from the Australian National University, including bank numbers, tax details, and academic records, although research work was reportedly not affected.
Senior intelligence officials have voiced fears the information could be used to “groom” students as informants before they move into the public service.
“The theft of intellectual property and research is huge, because it’s an easy, cheap way for foreign countries to be able to quickly gain 10 years in research and development and save billions in costs,” Mr Connory said.
He pointed to Chinese hacking group APT10, who were linked to a sustained attack on data storage service providers dating back to 2014, which sought intellectual property from industries such as finance, healthcare and biotech.
Two alleged APT10 members, Zhu Hua and Zhang Shilong, were indicted in the US in December last year and named as agents of China’s Ministry of State Security.
The two men are wanted by the FBI on charges of aggravated identity theft, conspiracy to commit computer intrusions and wire fraud.
“APT10 have hacked IBM, Hewlett Packard Enterprise … they’ve extracted information from major organisations on a global basis to steal IP to enhance their own internal research development in technology, science, pharmaceuticals,” Mr Connory said.
According to cyber security firm CrowdStrike, once the credentials of a company have been compromised it can take just 20 minutes for an attacker to begin moving through a network, while on average, a hacker has an individual’s information for 188 days before they know.
“Most of the actors [targeting Australia] are overseas, and they are not only organised crime groups and single-person operations,” Mr Connory said.
“Foreign governments are a serious issue in regards to government, education and technology company data breaches.”
He added that foreign governments in China, Russia, Iran and North Korea were the most likely to target Australia.
“When it comes to North Korea, they are more interested in developing ransomware for financial gain, while in Russia [perpetrators] are more commonly crime gangs.”
To see the work of Russian “bad actors,” one need only look at the dark web, he said, where stolen credit cards, passport numbers and personal information are readily for sale.
Lucy Cormack is a crime reporter with The Sydney Morning Herald.