Ransomware just doesn’t seem to be going away, in spite of herculean efforts. The support offered by Australian authorities in the event of a ransomware attack is better than almost anywhere else, and in fact is a model that could be emulated elsewhere.
And now, the new ransomware payment reporting mandates from the Australian Government have come into effect. Businesses with an annual turnover of $3 million or more, or those in critical infrastructure, must now report any cyber extortion payments to the Australian Signals Directorate. While this mandated reporting is a positive step, it does add more complexity.
You’re out of free articles for this month
The truth is – no amount of begrudging will fix the ransomware issue. Throwing money and IT resources at it isn’t a magic fix either. Even the new ransomware reporting mandate is no silver bullet.
In this article, I will delve into our recent Global Cost of Ransomware Study, conducted by Ponemon with more than 250 Australian IT and cyber security practitioners, which revealed pertinent issues that businesses and governments alike need to consider when it comes to ‘fixing’ ransomware.
1. Ransomware is a moving beast – it is not stagnant.
I often hear business leaders talking about ransomware as if it can be conquered once and for all. Set and forget. But this is simply untrue. Ransomware techniques continue to evolve to evade detection – just look at the Medusa attacks in the US. These attacks are particularly terrifying for businesses because Medusa isn’t your typical ‘smash-and-grab’ ransomware – it’s slow, methodical, and devastating. It shows us how ransomware is evolving. Hackers get in, avoid detection to move around IT networks, and wait patiently for their moment to strike.
The Ponemon research showed us that ransomware attacks in Australia impacted 28 per cent of critical systems, with local systems down for 12 hours on average – the highest globally. Medusa shows why the most important cyber security question you can ask today isn’t “How do I stop ransomware from getting in?”’; it’s “How do I stop it from spreading to critical systems?”
2. Obstacles preventing the reporting of ransomware payments
The Ponemon research also showed us that ransomware reporting is problematic in Australia for various reasons. Almost three quarters (71 per cent) of Australian businesses that experienced a ransomware attack didn’t report it. The motives for not doing so include fear of retaliation (43 per cent), being up against a payment deadline (37 per cent), and not wanting to publicise the incident (31 per cent). These are all warranted fears – we know, for example, that reputational damage following a ransomware breach can now be equal or greater than the damage of the attack itself. It’s clear that – government mandate or not – there are obstacles preventing organisations from reporting ransomware payments.
3. The new reporting mandate doesn’t cover unpaid ransomware
We know from the research that Australian businesses are hesitant to report making ransomware payments – and in fact they are hesitant to make any payment at all. More than half (55 per cent) of Australian businesses who are hit with ransomware refuse to pay, in many cases due to a set company policy. The new payment reporting mandate is a positive step, but does not cover these cases, of which there are many.
Whether a ransomware payment is made or not, these attacks can quickly become catastrophic and impact millions – roughly two-thirds (64 per cent) of Australian organisations have had to shut down operations following a ransomware attack, with 43 per cent reporting a significant loss of revenue. It’s clear that all attacks need to be accounted for, not just those involving payments.
4. Cyber insurance is not a good backup plan
In the past, cyber insurance has falsely been viewed as a ‘backup’ plan, but organisations are now realising that this does not offer adequate protection from ransomware. Only 32 per cent of Australian businesses that made ransomware payments did so because they had cyber insurance, and 46 per cent of all local IT and security leaders surveyed said that their organisation’s cyber insurance provider had modified its ransomware protection over the past year, resulting in decreased coverage. The new reporting scheme will not change an organisation’s ability to respond to ransomware, or prevent these attacks from becoming devastating.
5. Investment being made, but not in the right places
According to the research, nearly a third of IT budgets (31 per cent) are allocated to staff and technologies that are meant to prevent, detect, contain, and resolve ransomware attacks. But all this effort is still falling short. There is almost daily news of a new attack surface appearing, globally, not just in Australia. More than a third (39 per cent) of Australian organisations say they lack the ability to quickly identify and contain attacks. Perhaps this is because only 18 per cent of local IT and cyber security leaders say they have implemented microsegmentation to combat ransomware – a vital control for stopping the spread of breaches. This is far lower than the global adoption rate.
Ransomware is more pervasive – and more threatening – than ever. Australian organisations have the ability to prevent these attacks from becoming disastrous, irrespective of mandated reporting. Organisations need operational resilience and controls that stop attackers from reaching critical systems. By containing attacks at the point of entry, organisations can protect critical systems and data, and save millions in downtime, lost business, and reputational damage.
This approach is an insurance policy in itself, and will negate the need for ransomware payments.
