Cybercrime is a silent epidemic that has produced global losses totalling more than US$1 trillion. It is huge in scale and diverse in form, but there is one type that presents a unique threat to businesses worldwide: ransomware.
Ransomware has hit some of Australia’s biggest companies and it’s likely that other organisations have kept similar hits out of the spotlight. Strategy and policy surrounding the legality of cybercrime is now essential – or hits to business will only get worse.
Governments, civil society groups and businesses need to know how to manage and mitigate the risk of ransomware. The policy report by ASPI (pdf download available below) addresses key areas where improved guidance is needed and where better support for cybersecurity can be achieved.
What is Ransomware?
Ransomware is a form of malware designed and deployed by state and non-state cybercriminals. This malware is coded to seek out vulnerabilities in the computer systems of organisations. Successful infiltration will result in lock up, encryption and extraction of data and rendering computers and their files unusable. Attacks are accompanied by a demand for ransom to be paid in return for decrypting and unlocking systems. Increasingly, attacks include an extortion element that involves threats to leak stolen data publicly or on the dark web if payment isn’t made.
It is a form of cybercrime that’s both scalable and able to be commoditised. It can be bought as a service, generally on the dark web. The most common way ransomware is deployed into a system is via email phishing campaigns, remote access vulnerabilities and software vulnerabilities.
Ransomware is difficult to tackle using traditional law enforcement methods because the criminal actors involved are usually located offshore.
It’s important to note that ransomware attacks are entirely foreseeable and almost always defendable – consider the IT infrastructure in place as a similarity to security alarms or fences on a physical premises.
Do Australians value cybersecurity?
The 2021 Lowy Institute Poll reported that 98% of respondents viewed ‘cyber-attacks from other countries’ as a critical (62%) or important (36%) threat to Australia over the next decade.
To give perspective, this result ranked higher than climate change, Covid-19, a downturn in the economy and international terrorism.
But, do Australians understand Ransomware?
The Cyber Security Cooperative Research Centre conducted a survey of 1,000 Australian adults in 2021 on ‘Understanding ransomware’:
- 25% of respondents said ransomware was the most significant cybersecurity threat to Australian businesses, coming in behind hacking (48%)
- 77% said they wouldn’t know what to do if they fell victim to a ransomware attack but, when given a set of options, 56% said they would contact the ACSC (Australian Cyber Security Centre)
- 42% said they understood how a ransomware attack occurred, and 44% indicated that they knew what happened in a ransomware attack
- Respondents believed financial gain was the key aim of an attack (71%), followed by data theft (14%)
While this survey wasn’t exhaustive, it clearly shows that the community has little understanding of ransomware, illustrating that a more concerted effort to educate Australians is needed.
Approaching Cyber Security as an SME
Insurance: Australia’s cyber insurance market has expanded. Policies can be expensive and broad in scope. It should be covering recovery, replacement and regulatory costs associated with a ransomware attack. However, there is potential for organisations with cyber insurance to be lax in their approach to managing cyber security.
Greater Public Transparency: It’s understandable that the specifics of attacks and victims aren’t released into the public domain. However, if more insight were provided into the prevalence and root causes of ransomware crimes in Australia there would be greater onus on organisations to harden their systems against attack.
Patch Management: All software is prone to vulnerabilities and, when exposed and shared, cybercriminals have a metaphorical front-door key. Patch management is an essential for effective cybersecurity - it ensures that the security features of software on computers and devices are up to date. A 2019 report by the Ponemon Institute found that, of the 48% of organisations that had experienced data breaches in the preceding year, 60% reported that the breaches resulted from failure to patch.
Education for Staff at all levels: The route to a cyber breach is simple – you only need to trick one person to gain access to a system. Education is necessary to improve knowledge and mitigate risk. Many ransomware attacks would be avoidable if effective organisational cybersecurity controls were in place and good cyber hygiene was practised.
Phishing emails containing malicious links are common lures used to deploy ransomware. The FBI reported 241,342 phishing complaints in 2020 and estimated that phishing cost more than US$54 million. Training employees to be better prepared to identify suspicious emails is essential.
Taking personal responsibility: It’s the responsibility of all executives, business leaders and boards to be aware of and effectively manage cybersecurity risks. Appropriate measures need to be put in place to foster a culture in which cybersecurity really does matter.
Ransomware isn’t an abstract possibility. In Australia, the threat is present right now and won’t be going away. Unless efforts are made to protect against this risk, the problem will simply get worse.
There’s a key role for the Australian Government to play in leading the way, but tackling ransomware is a shared responsibility. Organisations must take responsibility for ensuring that their cybersecurity posture is up to scratch. There are practical and easily implementable steps the government can take to provide clarity, guidance and support.
BES IT Systems is at the forefront of protective IT Security measures, training and monitoring. We aim to ensure that our customers have the right barriers in place to protect their private information from cybercrime. Planning for cybersecurity breaches should be an essential detail in any Business Continuity Plan. We encourage you to read the full article – linked below, and if it raises any questions for your digital wellbeing – give our team a call today.
This blog article has been created using the findings presented by the Australian Strategic Policy Institute (ASPI) in: Falk, R, Brown AL (2021) Exfiltrate, encrypt, extort: The global rise of ransomware and Australia’s policy options.
You can download the pdf report here: DOWNLOAD
ASPI is an independent, non-partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies, issues related to information and foreign interference and focuses on the impact these issues have on broader strategic policy.