Over three-quarters of Australian organisations suffered data breaches over the past year and four in five were hit by ransomware attacks – but as new figures suggest 70 per cent of organisations also expect to be hit this year, have executives become blasé about security?
New figures suggest they very well may be.
Not only were 80 per cent of organisations surveyed for the Sophos State of Ransomware 2022 report hit by ransomware during 2021 – up dizzyingly from 45 per cent the year before – but the global survey of 5,600 IT professionals showed Australian organisations are both more susceptible to ransomware than overseas firms, and less capable of recovering from an attack.
Fully 79 per cent of attacks on Australian targets ended up with data being encrypted – well above the global average of 65 per cent – suggesting that Australian companies are not only less well-protected against ransomware attack, but that they are more prone to make ransomware payments to recover their data.
With 65 of the 250 surveyed Australian companies reporting that they had paid a ransom, Sophos principal research scientist Chester Wisniewski said the results suggested that many companies are choosing the most expedient option to get their data back “even when they may have other options available” – even if it means risking further attacks down the road.
“In the aftermath of a ransomware attack there is often intense pressure to get back up and running as soon as possible,” he explained, noting that Australian organisations took a month, on average, to recover from a ransomware attack.
“Restoring encrypted data using backups can be a difficult and time-consuming process, so it can be tempting to think that paying a ransom for a decryption key is a faster option.”
When time is money – and 86 per cent said they had lost business and/or revenues due to the ransomware attack – faster recovery may seem like a better option, yet Wisniewski noted that paying is also often “fraught with risk”.
“Organisations don’t know what the attackers might have done, such as adding backdoors, copying passwords, and more,” he explained. “If organisations don’t thoroughly clean up the recovered data, they’ll end up with all that potentially toxic material in their network and potentially exposed to a repeat attack.”
Coming back for more
The likelihood of repeat attacks – or additional new attacks – has become widely accepted, with the latest Trend Micro Cyber Risk Index report suggesting that most executives have become philosophical about their chances against ever more-creative and resourceful cybercriminals.
Asia-Pacific companies were leading the world in terms of relative cyber risk, with 76 per cent of Australian companies hit by cyber attacks last year and 18 per cent of respondents admitting they had been hit ten or more times in that period.
With 70 per cent of Australian executives expecting to be hit again over the coming year – and 26 per cent saying it is “very likely” to happen – the firm’s analysts note, businesses “have a very high chance of being affected by a cyberattack”.
Research and development (R&D) information is most likely to be targeted, Trend Micro warned, with financial information, email and other business communication, company-confidential information and trade secrets rounding out the list of the five most-targeted data types.
Australian companies are most worried about cloud computing, mobile and remote employees, and the risks of third-party applications introducing security vulnerabilities that may affect them.
Based on the responses to the Trend Micro survey, Australian organisations are weakest in areas that could be protected by the deployment of new technologies and skills – with a lack of “appropriate investments” in new security technologies like machine learning, automation, analytics and AI.
As well as admitting they lack adequate cyber security skills and expertise to protect their data, Australian companies were also lagging when it comes to using countermeasures like honeypots to fight back against attackers.
“To craft effective cyber security strategy, organisations must master the art of risk management,” ANZ technical director Mick McCluney said, encouraging businesses to combine their security tools into a “platform-based approach” that reduces their exposure to attack and optimises security overall.