Australian Government has ransomware in its sights
Ransomware attacks cost the Australian economy as much as $3 billion annually, with organisations reportedly paying, on average, $250,000 per incident. The Australian Cyber Security Centre has labelled ransomware as the most serious cybercrime threat to the nation due to its high financial impact and other disruptive impacts to victims and the broader community.
According to the Australian Signals Directorate’s Cyber Threat Report 2022-2023, there were 158 ransomware attacks reported – up 7% on the previous year – accounting for 10% of all cyber incidents.
Of course, many, if not most, incidents go unreported. Some 70% of Australian organisations were victims of ransomware attacks in 2023, according to Sophos’ State of Ransomware 2023 report, and cybercriminals were successful in encrypting data in 69% of ransomware attacks.
Verizon’s 2023 Data Breach Investigations Report found ransomware was the source of 24% of data breaches in the Asia Pacific region. The report noted the frequency of attacks was increasing, with the number of incidents in 2023 greater than the previous five years combined, while the ransoms demanded had doubled.
Given the threat posed by ransomware to business and the economy, the Australian Government has focussed on addressing this cybercrime in its 2023-2030 Australian Cyber Security Strategy (ACSS).
The ACSS pledges $586.9 million to shore up resilience, including introducing “no-fault, no-liability” ransomware reporting obligations. The funding will see $290.8 million invested including support for SMEs and “breaking” the ransomware business model.
A “ransomware playbook” will also be created to provide clear guidance on how to manage ransom demands.
Paying ransoms not outlawed – yet
Although the Government reiterated that it strongly discourages the paying of ransoms to cybercriminals, the practice has not been banned.
The idea of banning ransomware payments was floated as part of the consultation on the ACSS, however, it was determined that now is “clearly not the right time”.
Speaking on ABC Radio National on 22 November 2023, Minister for Home Affairs and Cyber Security Clare O’Neil said she supports a ban on ransomware payments as they feed cybercriminals but “we are in a situation in our country where it is clearly not the right time at this moment to ban ransoms because we haven’t done the hard work”.
“We don’t have, for example, a Federal Police force that’s properly resourced and properly equipped to deal with this problem, and we solve part of that problem in the strategy,” she said.
“We don’t have a proper system of support for companies that are undergoing cyberattack, and we solve that problem in the strategy.”
However, an eventual ban is “inevitable”.
Minister O’Neil said that the first stage of the strategy is about developing an understanding of the current state of national cybersecurity, before revisiting the idea of banning ransomware payments.
“My plan for the country on ransoms is that we undertake what is the first two years of this strategy, and then we revisit where we are then and contemplate what I think is inevitable for countries around the world – and that is one day a ban on making ransomware payments.”
For the time being, the decision whether or not to pay a ransom will continue to rest with the business. The decision on payment should be evaluated on a case-by-case basis, taking into account considerations both moral (enabling cybercriminal behaviour) and commercial (does the benefit of paying the ransom outweigh the business interruption expenses and potential reputational harm).
For many businesses, paying the ransom is the more cost-effective solution.
In fact, 73% of Australian businesses choose to pay a ransom.
McGrathNicol Advisory’s Ransomware Survey found that 56% of businesses polled had suffered a ransomware attack in the past five years – 14% had suffered multiple attacks. Of those businesses that had been attacked, 73% chose to pay the ransom, with 37% paying within 24 hours and 74% paying within 48 hours of the initial incident. Avoiding brand damage and the release of sensitive information was the reason cited by 74% of businesses for paying the ransom quickly.
Some 70% of all businesses – even those who had not suffered an attack – said they would be willing to pay a ransom in the future.
The survey noted the average ransom demand is $1.03 million, though businesses were willing to pay up to $1.32 million if necessary.
Paying ransoms is now “being factored in as a cost of doing business,” said McGrathNicol Advisory in a statement.
Executives are becoming empathetic and less hard-nosed about reporting ransomware attacks to authorities.
Although the Government plans on creating a “no-fault, no-liability” ransomware reporting obligation for business, the survey found only 60% of business leaders support mandatory reporting (down from 75% in 2022), while just 46% agree that it should be mandatory to report a ransomware attack even if a ransom hasn’t been paid.
The Australian Federal Police (AFP) encourages businesses not to “hack it alone” and to report ransomware attacks as soon as possible. The AFP cited data from the IBM Security Cost of a Data Breach Report 2023 which found 37% of businesses that do not report ransomware attacks spend more on mitigating the incident than those who did work with law enforcement. Bringing in law enforcement also led to a quicker resolution of the incident.
“We don’t want you to go it alone. If we are alerted to an incident in its earliest moments, we have our best shot at gathering the evidence we need to identify those responsible for the attack, disrupt their activities and bring them to justice,” said AFP Commander Chris Goldsmid in a statement.
Value of cyber insurance
With a ban on paying ransoms not coming into effect for at least two years, having a cyber insurance policy that includes ransom payments remains an important protection tool for businesses.
The McGrathNicol survey found 79% of respondents said their business was insured against ransomware attack and 38% would pay a ransom as insurance would cover a large percentage of the payment. It also revealed that 80% of businesses believe their cyber insurance policy is good value, with 64% saying that their policy protection provides peace of mind. More than two in five (44%) executives attribute this positive perception to the role of a cyber insurance payout in protecting their business financially. It was also found that 81% of the businesses that had suffered a ransomware attack in the past five years had been able to take out or renew insurance.
Talk to your EBM Account Manager about mitigating the cyberthreats to your business, including the transfer of risk to insurers. Your broker can discuss cyber policy options that include cover for paying ransoms.