Australian businesses – including superannuation companies and insurance houses – are far too willing to pay when hit by ransomware, encouraging further attacks, according to security experts at Deloitte.
James Nunn-Price, cyber risk leader for Deloitte in Asia Pacific, said Australia offered too much “low-hanging fruit” to cyber criminals and that he had been “amazed at how many Australian businesses pay the money” when hit with a ransomware attack through Crypto Locker and the like.
Nunn-Price said he was aware of superannuation companies and even insurance houses being prepared to pay the sums demanded – which may initially be as low as AUD300-500 – to regain access to their data.
“Then they wonder why they get hit again and this time with an extra 0 on the end,” he said.
Mary Galligan, a director at Deloitte and Touche, and a former FBI cyber special agent who was in Sydney this month, identified ransomware as one of the key security threats facing Australian businesses.
Although the initial ransom amounts might only be a couple of hundred dollars, Galligan said that when the FBI arrested one group of ransomware criminals last August, it discovered that this approach had netted it $30m over a year.
The Australian Cyber Security Centre’s (ACSC) 2015 cyber security survey of major Australian businesses, which was released in December, showed that the number of ransomware attacks had quadrupled since 2013. Some 72% of respondents said they had experienced a ransomware attack, compared with 17% in 2013.
Respondents also said ransomware was the security risk they feared most.
Galligan said there is widespread awareness of ransomware – which she described as outright extortion – but added: “The threat actors go to wherever is the weakest kid on the block.”
To help tackle the problem, Galligan advocated corporate cultures where employees are encouraged to report attempted, or successful, security incidents.
At present, it appears many security issues are being swept under the carpet. The ACSC report found that 51% of survey respondents had reported cyber security incidents, mainly to CERT Australia, law enforcement authorities or a regulator.
However, 43% of respondents did not report a cyber security incident to anyone. The report notes: “Reporting cyber security incidents ensures that appropriate and timely assistance can be provided. It also helps to develop a threat picture and assist other organisations that may also be at risk.”
Deloitte’s specialists said there was an emerging trend, particularly among government agencies and financial institutions, to share their security experiences more widely in the hope of adding to the general body of knowledge and protect other companies from similar attacks.