The McGrathNicol annual ransomware survey showed 69 per cent of participating Australian businesses have suffered a ransomware attack in the past five years.
The McGrathNicol annual ransomware survey showed 69 per cent of participating Australian businesses have suffered a ransomware attack in the past five years.
Overall, the average cyber ransom paid was $1.35m — which is a significant increase from $1.03m in 2023. Only one in 10 businesses say they would not pay under any circumstances.
Of those businesses that experienced a ransomware attack, the majority opted to pay the ransom within less than 48 hours (75 per cent). This figure is on par with 2023 and reflects the difficult decision-making and time pressures on executives facing a ransomware scenario. One in five (21 per cent) made the payment within 24 hours.
New cybersecurity legislation will require organisations above a certain revenue threshold to report payments to the government within 72 hours of making a payment. Fines of up to 60 penalty units have been put forward for businesses and organisations that fail to report.
“Business leaders are overwhelmingly in support of mandatory reporting,” says Darren Hopkins, cyber partner at McGrathNicol.
“Our research shows 79 per cent believe businesses should be required to report a ransomware attack, and that having to report a payment will unlikely influence whether a business will make a ransom payment while they believe it is legal to do so.”
A best practice cyber incident response plan is essential for boards before a cyber threat happens. McGrathNicol cyber partner Brendan Payne says that plan should detail roles and responsibilities in the event of an attack, including decisions on whether the business will pay a cyber ransom and negotiate — or whether a payment is to be avoided under any circumstance. The plan should also outline recovery steps, communication plans and the details of a person responsible for reporting the incident to authorities and external advisers — and be reviewed at least quarterly.
Sensitive information leakage
Six per cent of Australian workers violate company data protection policy each month.
Netskope Threat Labs’ annual threat report found workers are sending sensitive company data into systems, tools or applications where it is not authorised to go, or to unauthorised recipients. Regulated data (37 per cent), intellectual property (31 per cent) and passwords and keys (25 per cent) are the most common types of data leakage.
GenAI applications are the route of a significant number of data policy breaches, with source code (46 per cent) the most common type of sensitive data leaking in genAI prompts, followed by IP (26 per cent) and regulated data (18 per cent).
Rewriting and debugging source code is one of the top use cases for genAI usage, but these figures indicate users frequently choose tools unapproved by their organisation for this task, and share private code.
GenAI application usage continues to increase in Australia. GenAI apps are now being used in 93 per cent of local organisations, up from 75 per cent a year ago, with eight per cent of workers using genAI applications at least once a month. In response, organisations are tightening genAI security policies, blocking applications that serve no legitimate business purpose.
This article first appeared under the headline ‘Ransomware payments soar’ in the February 2025 issue of Company Director magazine.
Latest news
Already a member?
Login to view this content