According to a survey from McGrathNicol and YouGov, ransomware attacks are surging. Of the surveyed 500 business owners, partners, directors and c-suite leaders, 69 per cent of businesses suffered a ransomware attack in the past five years. When considering the last 12 months, this figure fell slightly to 56 per cent.
For those that suffered ransomware attacks within the last five years, 84 per cent said they had paid a ransom. Three-quarters said they paid the ransom within 48 hours, which McGrathNicol said was on par with 2023 figures. Meanwhile, 21 per cent paid the ransom within 24 hours.
As for the average payment, 2024’s $1.35 million is the highest McGrathNicol has seen in four years, jumping up 31 per cent from 2023’s average of $1.03 million. In 2022, the average payment sat at $1.01 million and 2021’s average was $1.07 million.
Despite the jump, this isn’t even the maximum amount businesses would be willing to pay, with businesses willing to pay $1.42 million.
One in 10 businesses claimed they would not pay a ransom under any circumstance.
In terms of proactivity, the survey found that 91 per cent of businesses are insured against ransomware attacks with an average coverage of $1.47 million – a jump up from 79 per cent in 2023.
Additionally, 80 per cent of businesses have an incident response plan in place, up from 61 per cent last year, and 77 per cent have a formal board notification protocol, up from 64 per cent in 2023.
“A best practice cyber incident response plan will detail roles and responsibilities in the event of an attack, including decisions on whether the business will pay a cyber ransom and negotiate, or whether a payment is to be avoided under any circumstance,” said Brendan Payne, McGrathNicol cyber partner.
“The plan should also outline recovery steps, communication plans, and the details of a person responsible for reporting the incident to the authorities and external advisers.
“Cyber criminals won’t wait until you’re ready. We encourage organisations to review their response plans at least quarterly.”
McGrathNicol’s survey results on ransomware payments come a day after the federal government passed its Cyber Security Act, which, among other provisions, recquire organisations with a turnover of $3 million or more to report ransomware payments to the Australian Signals Directorate within 72 hours of making a payment.
“Business leaders are overwhelmingly in support of mandatory reporting. Our research shows that 79 percent believe businesses should be required to report a ransomware attack. We applaud the government’s ransomware reporting changes but note the requirement of more than $3 million in turnover,” said McGrathNicol cyber partner Darren Hopkins.
“Under the new legislation, many small to medium businesses will be attacked, pay a ransom, and still not have to report it. We encourage the government to consider expanding the scheme so that we can quantify just how much money is being funnelled to cyber criminals every day of the year.
“Our research shows that having to report a payment will unlikely influence whether a business will make a ransom payment while they believe it is legal to do so.”
This post was originally published on here
