McGrathNicol Advisory launched the findings of its third annual ransomware survey, revealing that 56 percent of Australian businesses have suffered a ransomware attack in the past five years: 42 percent of medium and large businesses have fallen victim to a single attack, while 14 percent have been targeted multiple times. Of those that did suffer an attack, close to three quarters (73 percent) chose to pay the ransom demand.
Now in its third year, McGrathNicol Advisory’s Ransomware Survey provides an authoritative barometer of the ransomware threat to Australian businesses. McGrathNicol partnered with YouGov to survey 500 Australian business owners, partners, directors and C-Suite leaders across businesses with 50 or more employees. The five-year ransomware average is down from a high of 69 percent in 2022, but remains well above the 31 percent recorded in 2021 when McGrathNicol started tracking these results.The findings suggest that cyber criminals hit a ransomware peak last year and have diversified to other forms of cyber extortion in 2023.
The proportion of business leaders who reported that they made a ransomware payment declined slightly year-on-year, from 79 percent in 2022 and 83 percent in 2021, but has remained high despite government pressure and regulatory scrutiny. Australian organisations are acquiescing quickly: 74 percent of executives reported paying the ransom within 48 hours while almost two in five (37 percent) made the payment within 24 hours. This is consistent with previous years, with 78 percent of companies surveyed in 2022 reporting that they paid within 48 hours, and 74 percent in 2021.
Overall, the estimated average cyber ransom paid was $1.03 million, on par with $1.01 million in 2022 and $1.07 million in 2021. This figure is still lower than the average amount that business leaders would be willing to pay ($1.32 million). Despite consistent government advice against doing so, 70 percent of surveyed businesses (including those yet to experience an attack) said they would be willing to pay a ransom. This suggests that ransom payments are seen as a legitimate option by most Australian executives and have already been factored in as a cost of doing business.
Australian businesses soften on reporting
The 2023 McGrathNicol survey found that executives’ attitudes to reporting ransom payments to authorities have also softened. In 2022, 75 percent of surveyed executives believed that it should be mandatory for an Australian business to report a ransomware attack to the authorities—with almost three in five (56 percent) believing that it should be reported regardless of whether a ransom payment is made. However, this trend has reversed in 2023, with only 60 percent of executives saying they support mandatory reporting and less than half (46 percent) saying an attack should be reported even if a ransom hasn’t been paid.
A closer look at payment motivations provides further insight. The research found that three quarters of business leaders (74 percent) cite external risks as the reason for paying a cyber ransom, including to minimise potential harm to stakeholders, reduce brand damage, and to avoid sensitive information being leaked. As attacks become more commonplace, executives’attitudes towards ransomware payments from businesses in their supply chain are also easing: 83 percent of executives say knowledge of a payment from a business they are associated with would negatively impact their perception of that business. This is down from 91 percent in 2022 and 90 percent in 2021.
These drivers help to explain the high proportion of organisations that attempt to negotiate with cybercriminals. This year, two in three (66 percent) negotiated prior to making a ransom payment, up from 59 percent in 2021 but down from a high of 74 percent in 2022.
Darren Hopkins, Cyber Partner at McGrathNicol Advisory, said:“Businesses are still overwhelmingly paying ransoms, and paying them quickly, to avoid negative backlash from customers, partners and stakeholders. It’s now being factored in as a cost of doing business. The research shows that executives are becoming empathetic and less hard-nosed about reporting these attacks to authorities. But without greater collaboration and knowledge-sharing, our ability to prevent ransomware attacks is undermined. This intelligence can help business leaders make informed decisions rather than rushing into paying an expensive, and potentially illegal, ransom.”
One noteworthy finding suggests that businesses might be overly confident in their ability to respond to ransomware attacks. A significant 88% of executives believe their organizations are adequately “prepared,” marking a substantial uptick from 78% in the previous year. However, this confidence appears to be somewhat inflated, as only three in five organizations (61%) have developed a concrete cyber incident response plan. Furthermore, 18% of business leaders remain uncertain about the existence of such a plan, highlighting potential gaps in preparedness.
Another significant revelation pertains to the perception of cyber insurance among businesses. A notable 80% of surveyed businesses deem their cyber insurance policy as good value, with 64% expressing that their policy provides a sense of peace of mind. Among executives, 44% attribute this positive perception to the crucial role of a cyber insurance payout in safeguarding their businesses financially.
The survey also underscores the persistent threat posed by email phishing in the realm of ransomware. Email fraud or ‘business email compromise’ maintained its status as the most common mode of entry, representing 30% of all ransomware attacks in 2023. This figure aligns with the observed prevalence in 2022, remaining a consistent and formidable cybersecurity challenge.
Blare Sutton, Cyber Partner at McGrathNicol Advisory, added: “The growing acceptance of ransomware payments indicates that the threat is becoming normalised. However, this isn’t making businesses safer, it is merely continuing to fund the activities of cyber criminals who are evolving and diversifying their attacks.”