Credit: ID 82692506 © Sergei Panasenko | Dreamstime.com
Had Ned Kelly, our iconic of all bushrangers been alive today, he would have been confounded by corporate Australia’s view of its own invincibility.
If equating Kelly’s need for protective armour is a juxtaposition to companies failing to steel themselves in a burgeoning new world of technology, where cybercrime is now its biggest threat, just as the police were to Kelly, then Australia’s lack of engagement on the issue remains a perplexing issue.
Kelly never went into battle with police without his trademark armour, so why is business failing to guard itself against the threats of cybercrime?
It’s a question that is confounding cybersecurity experts, and just as Nero did who fiddled while Rome burned, if business continues to maintain its current approach to cybersecurity, then its own Rome will turn to ashes because inaction will have contributed to its capital burning to the ground.
2019 has been a year where cybercrime has consistently dictated the headlines with more than 23,000 Australian businesses experiencing some form of cyber incident.
And as the numbers continue to grow, no more damning a statistic can be found than what transpired in the first half of the year - 9.2 million malware detections were recorded by business with the average cost paid to cyber extortionists being $36,295. However, there have been payments made as high as $250,000.
The cost of cybercrime in Australia for 2019 alone is expected to exceed the billion-dollar mark, a statistic that is not only set to grow by more than 27 per cent in 2020, but come 2022, by a further 52 per cent - figures reflective of inaction and disturbing to corporate Australia’s economic and general welfare.
So, what will it take for business to change its mind set, and what will be its tipping point before we see the collapse of some corporates?
Australian research shows a compellingly dangerous figure where 52 per cent of companies are paying the demands sought by cybercriminals.
No better example exists than what Melbourne Heart Clinic endured when it was held to ransom - its patient care, business operations and reputation were all heavily impacted. Motoring giant Toyota Australia also isn’t foreign to ransomware attacks either – it had its business services crippled.
With consistent regularity that is distorting the horizons of corporate Australia, is the prevalence of cyberattacks, with the most recent as of September, 19. At Security in Depth, we have witnessed a disturbing 4,357 malware attacks – most of which were easily managed and preventable and some not.
What continues to prove a telling theme of ignorance is the countless board meetings attended where an organisation’s initial thought is not to pay extortionists and then change their minds when they are unable to retrieve critical systems, making the cost to rectify the problem an even more expensive exercise - which now makes insurance an essential asset.
It’s not that long ago one organisation was hit by a major cyberattack, crippling it along with the demand for $250,000. Economic pragmatism in the end won out. It realised its computers were locked and staff were unable to work.
Even more crucial to its decision was its inability to decrypt sensitive client data, which is where the role of its insurer became pivotal – it wore part of the bill paying $100,000 of the $250,000 ask.
Negotiating a reduced amount and paying the balance, compared to the cost of rebuilding all the files and information encrypted would have been far more expensive than the payout.
The role insurance companies play are integral to mitigating the economic fallout, with the question whether to pay or not to pay becoming an easier assessment to make by insurers.
Detailed analysis has been conducted at an economic level by all stakeholders including cybercriminals and once the numbers are crunched, the penny drops and the awakening of reality concludes that paying reduces time off line, enables access to critical files and has the business up and running with minimal disruption.
The challenges organisations face by allowing themselves to be extorted is that it encourages cyber criminals to blossom and ply their trade – not necessarily against the organisation hit, but by helping to foster a growing industry, inadvertently funding new versions of malware and ransomware, allowing cyber criminals to expand their operations and targeting organisations.
Companies succumb to the demands of cyber extortionists because it’s the cheapest, quickest and easiest option to extract themselves out a situation where it seems there is no light. It may not be right, but it frees them from potential ruination and the burning down of their own Rome.
Michael Connory is the CEO of Security In Depth.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.