What drives Aussie business leaders to make ransomware payments?

New research has revealed insights into the experiences and attitudes of Australian business leaders towards ransomware attacks and payments, with 35% of Australian businesses having suffered an attack and 83% of those paying the ransom — a far greater proportion than official figures suggest. The McGrathNicol Advisory surveyed over 300 business owners, partners, directors and C-Suite leaders across Australian businesses with more than 50 employees.

As legislation concerning the mandatory reporting of ransom payments is considered by the federal government, 69% of business leaders who said they wouldn’t rule out paying a ransom cited external risk drivers, including the need to minimise potential harm to stakeholders and reduce brand damage, as a rationale for payment. In comparison, 31% said that getting back to normal operations faster was a key concern. Two in three (67%) of businesses surveyed said it should be mandatory for a business to report a ransomware attack to the authorities, with 43% believing it should be reported regardless of whether a ransom payment was made.

The research also found that 80% of all business leaders said they would be willing to pay a cyber ransom if they suffered a crippling attack; businesses that have experienced a ransomware attack are also more likely than those that have not to be willing to pay a cyber ransom (90%, compared to 75%). The average estimated cyber ransom amount that businesses would be willing to pay is $690,000, compared to the average estimated cyber ransom of $1.04 million that is actually being paid out. Of those businesses that made a cyber ransom payment, 23% made the payment within 24 hours, while 51% paid within 24–48 hours. Of those business leaders who paid a cyber ransom, 74% chose to negotiate with cybercriminals to lessen the financial and operational damage to their business.

Darren Hopkins, Cyber Partner at McGrathNicol Advisory said the findings show that the proportion of businesses paying a ransom is higher than official figures would suggest, adding that this aligns with the company’s experience working with organisations on the front line.

“The fact is, although we always advise against paying the ransom, many directors and C-Suite leaders often feel like there is no simple way out: and they know that if they try and reduce the ransom through early payment or negotiation, then that might help them avoid any negative fallout. Business leaders clearly want guidance on dealing with ransoms but to make mandatory reporting work, the consequences of reporting need to be less than the negative stakeholder and customer reaction that is the principal motivation for companies paying up,” Hopkins said.

Business leaders are taking the ransomware threat seriously, with 84% of businesses surveyed currently insured against a ransomware attack. The estimated average coverage size in Australia is $1.54 million. However, far from helping to ease stakeholder relations, the data shows that business leaders look unfavourably on those that choose to pay a cyber ransom. This is more the case for companies that have suffered a ransomware attack themselves.

Nine in 10 businesses surveyed said that knowledge of a ransomware payment from a business in their supply chain (or a business they are associated with) would negatively impact their perception of that business. Businesses that have experienced a ransomware attack in the past are also more likely to have a negative perception of another business if it pays a ransom. This includes 31% who believe that paying a ransom means that a business does not have appropriate safeguards in place.

Hopkins noted that too many organisations in Australia still believe they have nothing of worth to cybercriminals or that those that fall victim have not invested enough in their cyber defences. Hopkins cautioned that it doesn’t matter how large a company is or what data it holds, cybercriminals will always look for an extortion angle. The research suggests that paying a ransom can impact more than just the bottom line and can also attract negative perceptions from customers and suppliers.

Shane Bell, Cyber Partner at McGrathNicol Advisory, said the best defence is to develop a cyber resilience plan. Bell advises that the plan should evolve over time and be continuously stress tested within the organisation, with appropriate safeguards in place to help identify any risks or vulnerabilities that could be exploited now or in future. “It’s not enough to focus on total prevention of a ransomware attack. It’s about being in the best position to respond and bounce back when, not if, it happens,” Bell said.

Image credit: ©stock.adobe.com/au/Tanawut