Overconfident, underprepared: business ransomware threat grows

Technology

02 May 2024

Nick Wilson

overconfident underprepared business ransomware threat grows

News

Australian businesses are losing more than ever to ransomware attacks, both in downtime and payouts to those holding their business data hostage.

The majority of Australian businesses are confident in their cyber risk preparedness, yet the costs and frequency of attacks are growing.

The scale of the cyber security issue was mapped in a recent survey of Australian IT and cyber security decision makers published by cloud-native network detection and response company, ExtraHop.

Ransomware – a type of malware that holds a target's data or device hostage – was identified as a major threat to Australian businesses, with 15 per cent of respondents classing it as the single greatest risk to their organisation.

In 2023 alone, 82 per cent of respondents said their organisation suffered at least six ransomware incidents while more than three-quarters were forced to pay up to their attackers.

The average cost of ransomware payments paid by Australian organisations was nearly $1.3 million, excluding ancillary remediation costs.

Downtime, during which business operations are put on hold while remedying an attack, grew to an average of 62 hours per cyber incident last year for Australian businesses. Large organisations, those with 1,000 to 1,999 employees suffered the longest periods of downtime, averaging 74 hours per incident.

This is although cyber crime tends to go underreported by victim organisations for a range of reasons including a lack of faith in regulatory action and concerns that disclosing an attack could raise red flags among investors and clients.

Shanna Hall, senior content marketing manager at Eftsure, told Accounting Times that reported losses were “not completely consistent with what we’ve seen happening on the ground.”

“Businesses, both customers and otherwise, are really, really hesitant to talk about fraud, even fraud attempts. There’s a lot of stigma around being scammed and losing money to fraud,” she added.

In a survey conducted by Eftsure, it was revealed that only 50 per cent of finance leaders who experience fraud said they reported it to their banks and 25 per cent said they were unsure where they reported it.

“It’s hard to know whether [declining loss amounts] are related to people not knowing where to report fraud or else not wanting to report it, especially after the backlash faced by organisations like Medibank and Optus,” said Hall.

Despite the growing threat of cyber attacks, 91 per cent of Australian respondents said they were confident in their organisation’s ability to manage cyber risk, though a majority admitted they were frequently victimised by existing and emerging threats.

Respondents identified immature risk management processes (24 per cent), misaligned cyber security and business functions (18 per cent), talent constraints (18 per cent), a fast-paced threat landscape (17 per cent), outdated technology (14 per cent), and budgetary constraints (9 per cent) as the key barriers preventing more effective cyber risk management.

Nearly half (48 per cent) said they needed to up their budgets by more than 50 per cent to better manage threats.

More than one-third of respondents (37 per cent) agreed that using AI and machine learning to meet the cyber challenge would be a top priority for their organisation this year.

On the other hand, generative AI threats were the third most common class of cyber threats indicated by global respondents to the survey, suggesting that the technology can have a complicated impact on cyber security.

“Cyber risks are inevitable, and no single organisation is immune to the threat bad actors pose to their business,” said Raja Mukerji, co-founder and chief scientist, ExtraHop.

“With ransomware and downtime on the rise and ripple effects being felt throughout entire organisations, leaders are recognising an inherent need to prioritise cybersecurity, and, better yet, business resilience.”