It’s easy to see why ransomware is such a cash cow for cybercriminals. It’s more efficient and profitable than other cybercrimes and by exploiting our near-total dependence on the internet, bad actors can demand millions of dollars to restore operations.

It’s also the worst-kept secret among Australia’s cyber community that businesses have been quietly paying millions in ransoms to bad actors who have stolen or encrypted their data.

A survey by corporate advisory firm McGrathNicol revealed almost a third of businesses who’ve been hit with a ransomware attack in Australia are forgoing negotiations and paying a ransom of over one million dollars to cybercriminals to stop an attack.

The survey also found that 44% of organisations are making a ransomware payment within 24 hours of an attack to minimise reputational damage, indicating business leaders are beginning to treat ransomware threats as just another cost of doing business in this day and age.

The Australian Cyber Security Centre (ACSC) received almost 500 ransomware-related cybercrime reports last financial year and has issued multiple warnings about the risk of ransomware attacks, yet it remains the most dominant threat facing organisations today.

Last month alone, some high-profile Australian organisations fell victim to ransomware attacks resulting in millions of personal data potentially being exposed to identity theft and fraud.

Amid an influx of cyberattacks, it can be easy for organisations to become desensitised and resigned to the fact that paying the ransom has simply become a line item in their budget. However, public and private sector organisations should not allow for “learned helplessness”.

Helplessness allows organisations to remain negligent and avoid accountability for not taking even the most basic steps to improve their cyber posture. On the contrary, the bar should be raised for baseline cyber hygiene practices within organisations. While the government can play a stronger role in deterrence, attributing attacks and establishing sanctions regimes, those efforts should not replace the promotion and implementation of basic cyber hygiene practices and processes.

Understanding today’s cyber threat landscape

As businesses invest in expanding their stack with innovative new technologies and solutions that enable them to do things better and faster, and to grow, there is the reality that doing so can also create more real estate through which cyberattacks can manifest. Not only do modern organisations of all sizes face an increasing number of cyber threats, but some are also more sophisticated than others. This means that there’s no one-size-fits-all formula for deciphering exactly what a cyber threat may be for one organisation compared to another.

However, understanding a business’ own unique cyber threat landscape, the real risks and potential impact, as well as how to prioritise cyber threats for remediation, is now as important as – if not more than – any other mission-critical business analysis or decision-making. It is the only way to ensure adequate cyber hygiene practices and cybersecurity measures over time.

Preparedness should always be an organisation’s top priority

The high frequency of these attacks proves there is no room for complacency and shows many organisations are still not adequately prepared to respond to them. As Benjamin Franklin once said, “if you fail to plan, you’re planning to fail”. Organisations should ready themselves for ransomware as they do for any emergency. It has become increasingly important that organisations have mechanisms in place that can anticipate cyberattacks and communicate those risks for decision support in order to help defend against emerging threats.

Preparedness is often overlooked in the emergency management of ransomware attacks. It is not just about focusing on the various mitigation measures as a form of preparation, it is also vital for organisations to prepare by conducting simulated attacks against their networks to identify gaps in their incident response plans. Being prepared gives stakeholders within the organisation the confidence that in the event of a real ransomware attack, the response will be calm and measured.

Being prepared can save time, money and effort compared with responding to a large-scale cyberattack that causes critical, long-term damage – damage that some would struggle to ever recover from.

Cyber defence requires an ‘all hands on deck approach

How an organisation responds to a ransomware attack has become increasingly important over the last few years.

While an organisation is trying to recover from an attack and restore its business operations, it also faces the added pressure of reputational damage from the leak of confidential information.

Given the public nature and fervent reporting by the media of leaked information, ransomware response is often done in the public eye. This means defending against ransomware attacks is not limited to security and IT teams. Other teams within the business such as customer support, legal teams, public relations and investor relations may all end up involved in the response. It is these internal stakeholders – at a minimum – who are all needed and necessary as part of an organisation’s comprehensive preparedness efforts to combat ransomware attacks.

Ransomware is not an issue that can be resolved in a vacuum. Organisations ultimately need to make it more difficult and less lucrative for bad actors by shoring up their cyber hygiene fundamentals, preparing for ransomware attacks like they would any other disaster and having an all-hands-on-deck approach.