McGrathNicol Advisory today unveiled the findings of its annual ransomware survey, revealing the true extent of ransomware attacks on Australian businesses and the willingness of leaders to make substantial payments to cybercrime groups.
Following on from research conducted in 2021 and in partnership with YouGov, McGrathNicol Advisory surveyed over 500 business owners, partners, directors and C-Suite leaders across Australian businesses with 50 or more employees.
The 2022 research found that almost seven in ten (69 percent) businesses have now experienced a ransomware attack in the past five years which is a significant increase from 31 percent in 2021.
In the event of a ransomware attack, four in five (79 percent) businesses chose to pay the ransom and the average cyber ransom amount paid was $1.01 million which is consistent with the prior year. The average amount that businesses would be willing to pay however, is higher and has almost doubled to $1,288,608 compared to $682,123 in 2021. This shows that businesses are anticipating the financial fallout of a cyber breach far better than they were 12 months ago.
The research reveals further key findings:
- The timeframe for ransom payments has shortened: 44 percent of businesses attacked paid a cyber ransom within 24 hours (up from 23 percent in 2021).
- Negotiation is also less likely to have taken place: Of those business leaders who have paid a cyber ransom, three in five (59 percent) chose to negotiate with cyber criminals to lessen the financial and operational damage to their business, compared to three in four (74 percent) last year.
- Residual uncertainty over consequences of ransom payment: Close to one in five Australian organisations are unaware that paying a ransom funds criminal organisations.
- Email fraud is the most common mode of entry: Known as “business email compromise” or “phishing”, almost 75 percent of all ransomware attacks can be attributed to human error, while the remaining 25 percent are a result of vulnerabilities exploitation and malicious access.
Darren Hopkins, Cyber Partner at McGrathNicol Advisory, said: “Many businesses are under pressure to pay and ‘keep the lights on’ rather than try their hand at negotiating with nefarious cyber-criminal groups. Given that almost a third of businesses are willing to pay more than $1 million in ransom payments, and pay quickly, the research shows that business leaders are starting to treat the ransomware threat as they would any other business risk.”
“This is a challenging environment for business leaders, and while many feel as if they don’t have the luxury of time, we want to assure them that there is always help available. Just as we encourage businesses to review and practice fire drills, we urge business leaders to develop and stress-test their cyber resilience plans. When a ransomware attack inevitably occurs, you and your board will know exactly what comes next.”
The research found that many businesses are over-confident in their abilities to respond to a ransomware attack, but the reality is that many are still very unprepared. Almost four in five (78 percent) businesses believe that their organisation is ‘well prepared’ to respond to a cyber-attack, with half (51 percent) reporting that they are ‘very prepared’. However, this is at odds with other details in the research, which found that 13 percent of businesses said it took them two days or longer to inform all relevant stakeholders, whilst three in ten (28 percent) are unsure whether an attack would be reported to all stakeholders. Alarmingly, one in five (20 percent) large businesses with more than 1000+ employees admit that they did not report the attack to all stakeholders.
Shane Bell, Cyber Partner at McGrathNicol Advisory said: “With September’s Optus breach and October’s Medibank breach dominating headlines, it’s more important than ever that governments, regulators, and corporate Australia work together to minimise risk to consumers and critical industries, reinforcing Australia’s 2016 strategy to make Australia a hard target for cybercriminals.”
“Building muscle memory around response and recovery is important, but it is only one part of the process of building overall cyber resilience. Organisations really need to understand the current and evolving threat landscape. They need to make decisions about their own risk profile and risk appetite, and then use that information to build a program of continuous improvement geared towards building cyber into business-as-usual practices. Cyber isn’t a new agenda item—it is and should be an established component by now.”
As the debate continues on the need for enhanced ransomware reporting in Australia, McGrathNicol’s research shows that businesses want greater transparency, stronger intelligence sharing and reporting obligations. Three in four (75 percent) businesses believe that it should be mandatory for a business to report a ransomware attack to the authorities (up from 67 percent), with almost three in five (56 percent) believing that it should be reported regardless of whether a ransom payment is made (up from 43 percent).