The agency responsible for detecting and disrupting malicious cyber threats wants certain password habits to be "over", as the amount of money lost to cybercrimes continues to rise.
According to the Australian Signals Directorate (ASD), relying on a username and password system only, without additional steps for verification, can leave Australians' data vulnerable to hacking.
Last year, individual victims of cybercrimes across Australia lost an average of $33,000, an 8 per cent increase.
On Tuesday, the ASD will release its annual cyber threat report, revealing businesses suffered even higher losses, doubling to roughly $202,000 per crime.
ASD director-general Abigail Bradshaw told SBS News it's time to move past passwords.
"I hope it [using passwords] is over. What we need is more technologies that enable multi-factor authentication, so that you are never solely reliant on a username and a password," she said.
ASD responded to more than 1,200 cybersecurity incidents, an 11 per cent increase from 2023-24. Source: SBS News
She said Australia is increasingly targeted by both cybercriminals and state-sponsored cyber actors.
Although she notes that the way they are gaining access to organisations, critical infrastructure, and businesses is changing.
"Networks are increasingly not being hacked, but are being breached through compromised or stolen credentials to gain unauthorised access," she said.
In almost half of the incidents impacting large organisations, access was gained using real usernames and passwords, often stolen or bought by cybercriminals on the dark web.
Given that the access is genuine, instead of a hack, it is harder to track.
"Once access is gained, they mimic legitimate user behaviour to steal sensitive personal or corporate information, install ransomware or malware and take over accounts," she said.
Cybersecurity Minister Tony Burke urged Australians to keep software up to date and enable multifactor authentication to keep themselves safe. Source: AAP / Lukas Coch
"Most cyber incidents are preventable, and basic defensive measures make a huge difference," he said.
How to keep yourself safe from cybercrime
Passwords and usernames remain the biggest vulnerability for safety, with home office routers often also targeted by cybercriminals and used to conceal their activities.
The ASD advised that the basics are still the best form of defence from cybercrime, encouraging multi-factor authentication, which requires at least two forms of identity verification.
Stephanie Crowe, head of ASD's Australian Cyber Security Centre, said 42 per cent of the incidents reported through ASD in the last financial year involved an element of stolen credentials.
"What that enables them [cyber criminals] to do is use a username and password to get onto an individual's device, or, if they're lucky enough, they've also been able to take usernames and passwords for people's corporate accounts," he told SBS News.
The average self-reported cost of cybercrime per report for small businesses rose by 14 per cent to $56,600, while the cost to individuals rose 8 per cent to $33,000. Source: SBS News
Other tips include regularly updating software on devices, backing up important data and staying alert to phishing messages and scams.
Last year, the ASD responded to 1,200 incidents and blocked access to 334 million malicious domains.
Businesses issued warning ahead of 2030
The ASD warns the environment will grow increasingly challenging for businesses, with the development of post-quantum cryptography, anticipated by 2030.
Whenever communication is exchanged between users, whether via websites or emails, encryption is applied to the messaging in transit to protect the data.
The technology anticipated will be able to unscramble this messaging quickly, making businesses more susceptible to data decryption or hacking.
ASD urged businesses to invest and prepare for this technology, as the cost of a hack could ultimately be greater.
It also includes three other changes: implementing effective logging, replacing legacy IT and effectively managing third-party risk.
Critical infrastructure emerged as the key concern in 2024-25, with malicious activity impacting networks over 190 times, a rise of 111 per cent.
"This highlights the ongoing need for vigilance and action to mitigate against persistent threats," Bradshaw said.
The agency collects and analyses data from communications systems, radio frequencies and electronic transmissions.
It answered over 42,500 calls to the Australian Cyber Security Hotline last year.
