Australian business leaders are increasingly baulking at the prospect of mandatory cyber reporting, with many favouring quick payouts to ransomware criminals.
According to a report by advisory and restructuring firm McGrathNicol, only 60 per cent of surveyed executives said they support mandatory reporting and less than half an attack should be reported even if a ransom hasn’t been paid.
This is a marked decline from 2022’s 75 per cent and 56 per cent in favour of mandatory reporting and reporting, respectively, even if no random paid respectively.
This year, the average cyber ransom paid flatlined at around $1.03 million, a figure lower than what business leaders said they would be willing to pay at $1.32 million.
Email phishing remains the most common mode of entry, as fraud or business email compromise was used in 30 per cent of all ransomware attacks in 2023, above 21 per cent in 2022.
According to McGrathNicol’s report, which surveyed 500 Australian business leaders, 70 per cent of respondents said they would be willing to pay a ransom. The average time taken to pay was 48 hours.
This comes despite federal government advice warning businesses against paying cyber-criminal ransoms. According to the report, this willingness suggests that ransom payments are seen as a legitimate option by most Australian executives,
“Businesses are still overwhelmingly paying ransoms, and paying them quickly, to avoid negative backlash from customers, partners and stakeholders. It’s now being factored in as a cost of doing business,” said Darren Hopkins, cyber partner at McGrathNicol Advisory.
The report also claimed that businesses are “overconfident" in their ability to respond to an attack. Almost 90 per cent of executives told McGrathNicol that their company is prepared for a ransomware attack — a significant uptick from 78 per cent in 2022.
“This confidence seems overstated, however,” the report said. “Only three in five (61 per cent) organisations have developed a cyber incident response plan and a further 18 per cent of business leaders are unsure of whether one exists.”
In addition, around 80 per cent of businesses said their cyber insurance policy is good value, with 64 per cent saying that their policy protection provides peace of mind.
In March this year, it was reported that the number of data breaches affecting over 5,000 Australians doubled year-on-year during the second half of 2022 to 40 instances, following noteworthy incidents over the last six months.