Australia’s energy, healthcare and transport industries are among the most vulnerable to cyber attacks, tests by ethical hackers reveal, and artificial intelligence is being used to craft more dangerous strikes against them.

Internet security firm CyberCX issued the warnings on Tuesday after its team identified 2500 severe security risks in 800 companies and government departments.

But the online AI arms race had yet to give attackers a big advantage, the study found, as it was being used to defend companies in equal measure.

The security warnings come days after some of Australia’s largest superannuation funds were targeted in a coordinated attack, in which criminals breached customer accounts and stole at least $500,000.

The CyberCX Hack Report revealed financial services ranked 10th for severe security vulnerabilities, with utilities, transport, healthcare and manufacturing industries posing above-average risks.

The company used a team of more than 150 ethical hackers to test 800 organisations for security flaws during 2024, mimicking criminal attacks to identify vulnerabilities.

Among the tens of thousands of risks discovered, almost 10 per cent were deemed so dangerous they could have “severe impact” on the organisations’ operations, were criminals to discover them before IT security teams.

Most of these critical security weaknesses were caused by poor application security, identity and access management flaws, or incorrect configuration and patch management.

Array

Industries that used operational technology – such as body-scanning devices, energy infrastructure or manufacturing equipment – were among the most vulnerable, CyberCX security testing and assurance executive director Liam O’Shannessy said.

Hospitals and doctor’s surgeries were particularly high risk, he told AAP, as their equipment was often expensive, designed to last for more than 20 years and collected sensitive information.

“We don’t really design software with a view to keeping it secure for 20 years so we end up with these really big systems that are hard to update, they’re hard to replace but they’re also really, really hard to secure,” Mr O’Shannessy said.

“Health care, because it deals with such sensitive data for so many people, is ripe for these blackmail, ransomware-style attacks.”

Online criminals were also exploiting AI technology to create more convincing attacks, the report found, by using it to add “regional nuances and near-flawless grammar” to phishing attempts, for example, to make them more difficult to detect.

The technology had yet to give attackers an unfair advantage, Mr O’Shannessy said, as many companies were using the same technology to defend themselves.

“AI is definitely making attacks more efficient but, at the same time, it’s definitely making defenders more efficient,” he said.

“AI has increased the rate of change, which is a real challenge for organisations who are used to a low tempo of change.”

Recent high-profile cyber attacks have included the raid on superannuation funds such as AustralianSuper and Australian Retirement Trust last week, and a ransomware strike on Australian IVF provider Genea in February in which some stolen data was published on the dark web.

AUSTRALIA’S MOST VULNERABLE INDUSTRIES

1. Utilities and resources: 17.2 per cent

2. Logistics and transport: 13.6 per cent

3. Health care: 12.8 per cent

4. Manufacturing and construction: 12 per cent

5. Retail and entertainment: 8.8 per cent

6. Federal government: 8.5 per cent

7. State and local government: 8 per cent

8. Education: 7.8 per cent

9. Professional and technical services: 7.8 per cent

10. Financial services and insurance: 7 per cent

* Severe vulnerabilities discovered by CyberCX testing

 

Jennifer Dudley-Nicholson
(Australian Associated Press)