New data from cyber security firm Semperis has revealed almost half of all attacks are on understaffed weekends, with hackers repeatedly targeting the same businesses in the past year.

Despite the strikes, politicians and business leaders aren’t taking the breaches seriously enough, with Mr Turnbull - who advises Semperis - saying many are “treating ransomware attacks as just a cost of doing business”.

His urgent message: cyber security isn’t an IT problem, it’s an executive failure, demanding immediate boardroom-to-browser action to avoid catastrophic consequences, including identity fraud, loss of essential infrastructure and steep financial losses.

Yet, Anthony Albanese dismissed attacks as happening “all the time” after criminals siphoned hundreds of thousands of dollars from AustralianSuper and other industry funds earlier this year.

Mr Turnbull, who considered an early internet pioneer in Australia before entering politics and has invested in cybesecurity firms, including Dragos, Cado Security and Kasada - said such comments were not helpful.

“The truth is these attacks do happen all the time, but that doesn’t mean you should be complacent about it,” he said.

“There’s all sorts of bad things that happen all the time. If somebody was mugged walking down Martin Place and the police commissioner just said ‘muggings happen all the time’, people would be calling for his head.”

But, Mr Turnbull said it was up to businesses to protect customer data and fend off cyber attacks.

“The government cannot protect you in this field. Australian Signals Directorate does great work and obviously, Australian Cyber Security Centre and all the government agencies are very important. But … if you have a business, responsibility for protecting it against a cyber attack is yours.

“What government’s got to do is raise levels of awareness. It’s got to provide tools. It has got to provide legislation, which we’ve done to ensure that people report breaches. But ultimately it’s down to businesses.”

Mr Turnbull said the problem was many executives and directors delegated too much in regard to cyber security.

“When I was in office, I used to say to chief executives, ‘do you know who in your organisation has administrative privilege? Who is your system’s administrator or administrators? And they never generally had no idea. I said, ‘well, you don’t you think you should find out? Don’t you think you should know who’s got the keys to the castle?’ And so raising awareness is very important.”

But even when awareness is raised, executives have done nothing. Superannuation fund trustees ignored repeated warnings from regulators to strengthen their “weak” online security.

The Australian Securities & Investments Commission told superannuation trustees — who are mainly union or employee group appointees — in late January trillions of dollars of Australians’ retirement savings were at risk to data breaches and scams.

The Australian Prudential Regulatory Authority also urged the funds in May 2023 to adopt multi-factor authentication to protect members’ savings — a measure many funds, including AustralianSuper, failed to adopt until after the attack.

Mr Turnbull said directors, executives and super fund trustees must learn to educate themselves about cyber risks.

“I don’t want to hold myself up as an example but you know when we made the decision about 5G … I bought the latest textbook on 5G. I made myself as familiar as I could be. I spent a lot of time directly with ASD so that I understood the advice that I was getting and was able to challenge it and interrogate it. And so I was able to be an informed client. And I think that’s what you’ve got to be. You just want to take this super seriously.”

The Semperis report, which was based on a survey of 1500 companies, found one in three cyber attacks targeting Australasian organisations were hit more than once in the past 12 months, significantly higher than the global average.

Meanwhile, 38 per cent of global organisations paid multiple ransoms, and 11 per cent paid hackers three times or more.

More troubling, the report found 43 per cent of ransomware victims in Australia were threatened with physical harm if demands were not met, highlighting the psychological warfare element of cyber crime. This is only slightly below the US (46 per cent) and Germany (44 per cent).

Semperis found most companies operated a Security Operations Centre, yet 89 per cent said it was not fully staffed on weekends and holidays.

This is despite 52 per cent of attacks being deliberately launched on weekends or holidays, when IT teams were likely understaffed.

“Complacency is a real issue and the fact that Australian companies are getting attacked repeatedly indicates that they’re not taking the threat seriously enough. If you are treating ransomware attacks as a ‘cost of doing business’, all you’re going to do is encourage more ransomware attacks. So the one message I would have is that if you are a director of a business or an owner you have a duty to do everything you reasonably can to protect your company from cyber attacks.”

Originally published as Malcolm Turnbull warns of alarming pattern in cyber attacks on Australian companies