Australian government agencies and organisations are increasingly vulnerable to a major cyber attack yet security has not evolved in more than 20 years, according to an international cybercrime expert.
Chris Pogue, a member of the US Secret Service Electronic Crimes Task Force, will conduct high-level security briefings with government departments and security agencies in Canberra next week to urge better collaboration and intelligence sharing in the face of an "inevitable" cyber disaster.
With the trade of stolen data booming on the multi billion-dollar dark web, Mr Pogue said "data is the new oil" yet Australia, like most countries, still has a "head-in-the-sand approach".
"It will get worse before it gets better," he told Fairfax Media. "The sooner decision makers understand that there are only three types of organisations – those that have been breached, those that are currently breached (and likely don't know it) and those that are about to the breached – the better."
Mr Pogue, a former US Army officer who has trained thousands of federal agents in cyber investigations, said security had not "truly evolved" in 20 years.
The approach is "reactive and knee jerky" and most organisations are still getting the basics – like passwords and firewalls – wrong.
"Prevention is not working," he said. "It's not that people don't know they have to protect their data, they just don't do a good job at it. Even US government departments, they have the money, they can buy the resources ... and it's still not working."
In its 2015 report on organised crime, the Australian Crime Commission said cybercrime affected five million Australians in 2013 and cost $1.06 billion although that figure is likely to be an underestimation because it based on the cost to individuals only, not industry and government.
In the first quarter of this year, more than $234 million worth of financial loss was self-reported by individuals and small companies to the new Australian Cybercrime Online Reporting Network.
One particularly persistent hack, a malware called ZeroAccess, was compromising 4000 Australian devices each day between October and December last year, the ACC said.
The malware infiltrated payment systems in 60 Pizza Hut stores in Australian across 12 months last year. Europol, the FBI and Microsoft have unsuccessfully tried to disrupt the ZeroAccess botnet.
Australia was also reportedly targeted in recent months by Chinese and Russian spies attempting to hack top-secret details of Australia's future submarines.
Mr Pogue, senior vice-president of cyber threat analysis with Australian data investigation company Nuix, said hackers were becoming more creative and more aggressive.
Most advertise their skills in hidden Russian-language forums. The stolen data is sold on encrypted "dark net" sites, with stolen credit card details fetching an average of $100.
The money is then funding other crimes, such as terrorism and people smuggling.
One dark-net site identified by Australian police recently was selling credit cards for 8¢, CCVs for $8 and other card details, such as billing addresses, for $80. At one point, 14,000 users were accessing the site.
Last month, former ASIO head David Irvine conceded it was only a matter of time until jihadists launched online attacks in Australia.
The Australian Strategic Policy Institute found Australia had slipped from second to fifth place in the Asia-Pacific region for cyber policies and practices.
An urgent round table on cyber security was convened earlier this year and the federal government will soon consider the outcomes of its overdue cyber security review.
Efforts will focus on developing a new public Cyber Security Strategy with practical initiatives, the Department of Prime Minister and Cabinet said.