Losing the cybersecurity war
“Last year, cybercrime cost businesses more than US$1 trillion worldwide. Cybersecurity technology company CrowdStrike looked at the top 200 Australian companies and found that 67 per cent of them had been hit with a ransomware attack, which is just one form of cybercrime. That’s 10 per cent more than the global average.
A ransomware attack is where a criminal gets into your system, encrypts it, steals some of your data and sends you a ransom notice. You’re left with the invidious decision of whether to pay the ransom or try to rebuild from backups, which is incredibly difficult. CrowdStrike found 33 per cent of Australian organisations that were hit with a ransomware attack paid the ransom and, on average, they paid $1.5 million, which is 20 per cent more than the world average.
Australia has a problem. Ransomware attacks have jumped significantly over the past 12 to 24 months and are continuing to grow at pace in terms of the number of assaults and the sophistication of the companies that perpetrators are prepared to target. Also, because the cybercriminals are getting paid, it’s encouraging them to be more aggressive.
Just three years ago, if I was helping a company with a ransomware attack, the ransom might have been $50,000 to $100,000; now it’s regularly starting at $1.5 million. So this is a thriving business model – it’s not hackers who are disgruntled youths sitting in their parents’ basement. This is a serious business.
Willis Towers Watson, one of the big insurance brokers, says that 91 per cent of cyber attacks start with a phishing email. I believe that Australians are late to the party with the degree of cynicism they need to approach their inbox. Perhaps our genial and more trusting nature is leading us down this track, where we’re getting hit harder than the rest of the world. In some respects that’s good because we know what we need to do to change it and that’s all about internal controls.
This has got to be driven from the top. I don’t think CEOs and boards are necessarily communicating to their organisations that this is the most important issue for them. I worked with a company that’s probably worth a quarter of a billion dollars. After getting hit with a ransomware attack the CEO said to me, ‘This is so unfair. Why did this happen to us?’
That particular organisation wasn’t prepared. You know the old saying, ‘When you fail to prepare, you prepare to fail.’ That couldn’t be more relevant than in cyber. More leadership focus is needed on it.
The government is going to force this on organisations – it’s recognised that cybersecurity is one of the critical risk issues facing Australia. Boards of companies deemed to be essential infrastructure are going to be required to sign off on the cybersecurity posture of their organisation, for example, that there have been no attacks during the year. Once this happens, you’re going to see a lot more attention on cyber and more money spent on technology and the training to boost cybersecurity.”