This month marks the 20th anniversary of National Cyber Security Awareness Month and with cyber risk reaching unprecedented levels after a recent surge in high-profile attacks, particularly on Australian businesses, Ben Robinson, Placement Manager - Professional and Executive Risks, gives us some insights on why not paying a ransom won't solve this issue. With hackers running their operations like sophisticated businesses and constantly adapting their strategies for better returns, banning payments might harm Australian businesses and citizens more than it impacts the cyber-criminal groups, leading them to explore alternative tactics for financial gain.
A year on from the Optus data breach, which impacted almost 10 million customers, we’re seeing an increase in cyber criminals successfully targeting large organisations. Just last month, almost 200,000 Pizza Hut customers had their data leaked in the latest of a sting of major cyber-attacks in Australia.
Although the fast-food chain said it took immediate action leading to only a small number of its customers being affected, not everyone has the structure in place to deal with these situations as quickly and many are opting to not pay a ransom as the solution.
There is a misconception that cyber criminals are bedroom hackers, when in reality we are dealing with sophisticated organised crime syndicates run by highly skilled experts who have been honing their craft over many years. Cyber criminals are not stupid. They run tight ships, and the leaders are always looking at the best way to invest their time and resources into a bigger return. They are adaptable and when one strategy starts to underperform, they pivot their approach to maximise ROI – just like any business C-Suite.
At Honan we take a case-by-case approach to advising clients through cyber ransom attacks. There are a number of factors to consider during a ransom scenario, including:
- The volume and sensitivity of stolen data
- Who the data belongs to
- If it’s personally identifiable or payment information
- The recoverability
- The level of sophistication of the attackers
There are some cases where businesses weigh up all their options and decide that paying the ransom is the lesser of two evils to limit exposure of the stolen data. If we look at the Optus incident as an example, they were receiving advice from all corners to pay the ransom yet elected to take a public stand against paying it. You have to wonder if the impact of the breach could have been lessened had they followed expert advice.
The government’s decision to potentially bring in new laws to make it illegal for companies to pay ransoms to cyber criminals is more likely to harm Australian businesses and its citizens more than it will impact the cyber-criminal groups.
Whilst every cyber incident is unique and Honan takes a tailored approach to advise clients based on a range of factors and a deep understanding of the individual business, paying a ransom shouldn’t be ruled out.
Placement Manager - Professional & Executive Risk