Ransomware: Finding An Answer To The Toughest Question
First published in InnovationAus on 7 December 2021
“To pay, or not to pay, that is the question…” Any organisation hit by ransomware will face this tough question unless it has robust data backup and recovery practices sufficient to enable a recovery.
Contemplating this unfortunate eventuality and rehearsing the response should be part of every organisation’s cyber resilience, but there is a problem.
Nick Abrahams, global co-leader of the digital transformation practice at law firm Norton Rose Fulbright, conducts ransomware simulation exercises with company boards.
“I take them through the six key issues they need to resolve before they figure out whether they should pay the ransom or not,” he says.
He’s done this multiple times, but never has a board taken a unanimous decision to pay.
“It’s very different to any other board decision, because at its core it is a question: ‘Should we pay a criminal to get a better outcome for our company?’ And that is quite challenging at an ethical level,” Mr Abrahams says.
He was talking with Nick Lennon, ANZ Country Manager for email security and cyber resilience company Mimecast, in an InnovationAus Leadership Council fireside chat discussing the Australian Government’s Ransomware Action Plan.
“At its core, the plan just says if you’re a company that has over $10 million turnover and you get hit with a ransomware attack, then you have to notify,” Mr Abrahams said.
So, while the Ransomware Action Plan is only a start, the information provided through some of its proposed measures could support other initiatives and help counter the scourge of ransomware.
That said, the reporting mandate as it currently stands will not apply to the great majority of Australian business.
Mr Lennon said, “It is a meaningful step forward and demonstrates how regulation is catching up to some of the technology advances and technology challenges that impact Australian businesses, but would require only two percent of Australian businesses to be reporting ransomware.”
He suggested Australia should follow the lead of the US and require details of ransomware payments to be notified.
“There’s a bill just introduced in the US with a ransom payment notification obligation. I think it’s very important to know how much is being paid in ransoms and who is paying. It would be great to see that here.”
What the notification plan will do, Mr Abrahams suggested, is produce beefed up security budgets in those organisations to which it applies and, hopefully, reduce the number of successful cyberattacks.
“Nothing frees up budget like the board becoming responsible, at a legal level, for issues. That’s what we’re seeing with the Ransomware Action Plan,” he said.
“And with the security of critical infrastructure changes that are coming through, we are seeing heightened focus on boards being responsible. That means there should be more budget for cybersecurity.
“Good cybersecurity posture is critical for all organisations, regardless of their size. It’s about recognising the risk is out there, the risk is significant, and it’s likely to happen to your organisation.
“You need to be in a position where you can restore as quickly as possible. So, cybersecurity budget is critical for all organisations.”
He suggested many organisations did not allocate adequate budgets and resources to cybersecurity, relating the case of one organisation hit by ransomware whose CEO described the company’s trouble as “unfair”.
“They had not spent money on cybersecurity. It had not been a focus. They had no plan for how they were going to respond to a cybersecurity breach.”
Mimecast earlier this year, in its submission to the Department of Home Affairs’ consultation on strengthening Australia’s cyber security regulations and incentives, floated the idea of a government-funded ‘cyber health’ scheme for SMBs, arguing it would bring benefits to the Australian economy.
Mr Lennon drew a parallel with how government healthcare funding, in the form of Medicare, had brought overall benefits to the Australian economy.
He said the current focus on ransomware, created by the action plan, represented an opportunity to consider a novel approach to protecting SMBs from ransomware.
“There’s an opportunity for industry, education and government to come together and think about how SMEs get access to appropriate cybersecurity services that might provide a protection layer across all businesses,” Mr Lennon said.
“The Ransomware Action Plan represents great leadership on policy and opens up a bigger opportunity to extend responsibility and accessibility into the SMEs with some different thinking.”