A culture of quickly paying ransomware extortionists has not only made Australian businesses high-profile targets for further attacks but risks destroying corporate reputations through the direct funding of organised crime, security experts have warned as ransomware volumes continue to pummel unprepared businesses.
Many companies are well aware that they remain unprepared to deal with security compromises, with one recent survey finding that 40 percent of Australian IT decision-makers felt unprepared to deal with malicious attacks even though 55 percent had experienced an email hack or breach - well ahead of the levels in other countries.
That lack of preparedness typically surfaces in problematic ways as often-small businesses find themselves locked out of their files with current backups, or no clear way of restoring from whatever backups they do have. Yet instead of improving their proactive defences, many are paying ransoms straight away - increasingly considering them a cost of doing business.
And while it may seem like a straightforward cost-benefit business decision, this approach is raising all kinds of new questions. "One of the reasons Australia has become the #1 target worldwide is that the Australian market is paying for every single attack," says Guy Eilon, ANZ general manager and senior manager with security firm Forcepoint.
"If you were an attacker and were attacking someone who was paying you to release his environment, you would keep attacking him again and again." A recent analysis by Australian research firm IBRS noted that while paying ransoms is the quickest and easiest way to recover files - and that ransomware extortionists are generally keeping their word to unlock files after payment - companies may find that the payment of such people goes directly against the established corporate brand ethos.
""The decision to pay, or not, should not be based on the equation of 'which is cheaper, the ransom or the cost of security?'," analyst James Turner wrote. "Management's decision should be driven by the question, "are we prepared to hand money to organised crime?'" "When executives consider that their choice to pay a ransom may directly help fund the illegal drugs trade and sex trafficking, the only morally defensible option is to not pay, and prepare accordingly. For organisations that are keen to maintain a brand of trustworthiness and corporate social responsibility, it should be a simple decision to make."
The importance of trust and ethical conduct has been underscored by recent arguments that businesses need to view security as a way of building and maintaining trust with their customers; compromising this trust can lead to significant consequences and the imperative is therefore to do whatever is necessary to maintain it.
Sign up for Computerworld eNewsletters.