The 113 organisations surveyed reported many malicious cyber threats, with spear phishing emails alone affecting Australian organisations up to hundreds of times a day, the ACSC said in its report on the survey.
"These figures reinforce the message to all organisations that experiencing a cyber incident is not a matter of if but when, and what type," the ACSC said.
Just over half, or 58% of the organisations, experienced at least one incident that successfully compromised data or systems and 60% experienced tangible impacts on their business due to attempted or successful attacks, it said.
The majority of the organisations showed "a high level of resilience", the ACSC said, but most could still do more to prepare for and adapt to cyber threats.
"Just over half, or 51% of all organisations surveyed said they tend to be alerted to possible breaches by external parties before they detect it themselves. Given that only 2% of organisations reported having completely outsourced IT functions, these figures suggest organisations are not adequately focusing on monitoring networks and detecting potentially malicious activity," it said.
Organisational attitudes can also be out of step with the technical controls in place, the ACSC said.
"For example, organisations have embraced practices that offer greater workplace flexibility, such as using personal devices at work or working remotely from home; yet significantly fewer of these organisations have mobile device management systems or identity and access management systems in place to manage these risks," it said.
There has however been improvement, with 71% of organisations reporting having a cyber security incident response plan in place compared with 60% in the 2015 ACSC Cyber Security Survey of Major Australian Businesses.
"Now the focus needs to be on ensuring those plans remain relevant," the ACSC said.
The Australian Cyber Security Growth Network (ACSGN) announced plans this week to triple the size of the country's cybersecurity industry, from around AU$2 billion (£3.5 billion) in revenue to AU$6 billion by 2026.
The ACSGN cybersecurity sector competitiveness plan (SCP) will "identify the challenges Australian organisations face when competing in local and international cyber security markets", it said.
The SCP will provide "a roadmap to strengthen Australia’s cyber security industry and pave the way for a vibrant and innovative ecosystem. It articulates the steps and actions required to help Australia become a global leader in cyber security solutions, with the aim of generating increased investment and jobs for the Australian economy", it said.
The SCP will include improvements to research into cyber security, changes to the business environment to encourage cybersecurity startups, and education to reduce the skills shortage in Australian cybersecurity, it said.