Welcome to the Fear and Greed Business Interview. I'm Sean Almer. The average ransomware payment average ransomware payment in Australia is now one point three five million dollars. It seems businesses are increasingly willing to pay to regain access to computer systems and data locked up by cyber criminals. Every year. We talk to the team at mcgrar nickel about this because not only do they help companies prepare for and deal with these attacks, they also monitor the overall ransomware threat facing Australian businesses. Darren Hopkins and Brendan Paine are cyber partners at mcgarnickel Advisory, which is a great supporter of this podcast. Darren, Brendan, Welcome back to Fear and Greed.

Welcome to the Fear and Greed Business Interview. I'm Sean Almer. The average ransomware payment average ransomware payment in Australia is now one point three five million dollars. It seems businesses are increasingly willing to pay to regain access to computer systems and data locked up by cyber criminals. Every year. We talk to the team at mcgrar nickel about this because not only do they help companies prepare for and deal with these attacks, they also monitor the overall ransomware threat facing Australian businesses. Darren Hopkins and Brendan Paine are cyber partners at mcgarnickel Advisory, which is a great supporter of this podcast. Darren, Brendan, Welcome back to Fear and Greed.

Thanks Sean, Thanks Shan for.

Thanks Sean, Thanks Shan for.

The four years now mcgrar Nichol's partnered with you GUV to survey five hundred Australian business owners, partners, directors, c suite leaders across businesses. We're talking about companies with fifty plus employees here to work out the ransomware threat facing Australian businesses. Darren, why did mcgrah nicals start the research and what trainings have you seen over the past four years or so.

The four years now mcgrar Nichol's partnered with you GUV to survey five hundred Australian business owners, partners, directors, c suite leaders across businesses. We're talking about companies with fifty plus employees here to work out the ransomware threat facing Australian businesses. Darren, why did mcgrah nicals start the research and what trainings have you seen over the past four years or so.

Sure, I was looking at this only on the weekend as I was going through the draft results of this particular year survey. And we've been doing for four years, and I still remember that four years ago we were in the position of seeing a lot of businesses pay ransoms and we could in ourselves understand why businesses are so likely to step up, and given my background in law enforcement, to pay a criminal money for an extortion, it seemed incredible. So we started the research there. And at the time I had just finished a job where our client had effectively just had to find seven million dollars US to pay a Russian based cyber criminal group to get their assistance back up and running and actually to continue business, and they needed to do it to operate. They were in a really bad position. Six months after that event, I was with the team. We were talking to the executives on the board about a budget to improve the business, to defend itself going forward, all the things that you would hope a business does, and we were able to get five hundred thousand dollars over three years to work on the problem. And at that time I thought, how is it that we can pay ten million Aussie to a ransomware group, but we can only find this little amount of money, and why is it we're doing it so often. That's why we started doing the research. It was a little bit of the I'd like to know more, and we were trying to understand the drivers behind while we're doing that, so that maybe we can help businesses avoid having to do that.

Sure, I was looking at this only on the weekend as I was going through the draft results of this particular year survey. And we've been doing for four years, and I still remember that four years ago we were in the position of seeing a lot of businesses pay ransoms and we could in ourselves understand why businesses are so likely to step up, and given my background in law enforcement, to pay a criminal money for an extortion, it seemed incredible. So we started the research there. And at the time I had just finished a job where our client had effectively just had to find seven million dollars US to pay a Russian based cyber criminal group to get their assistance back up and running and actually to continue business, and they needed to do it to operate. They were in a really bad position. Six months after that event, I was with the team. We were talking to the executives on the board about a budget to improve the business, to defend itself going forward, all the things that you would hope a business does, and we were able to get five hundred thousand dollars over three years to work on the problem. And at that time I thought, how is it that we can pay ten million Aussie to a ransomware group, but we can only find this little amount of money, and why is it we're doing it so often. That's why we started doing the research. It was a little bit of the I'd like to know more, and we were trying to understand the drivers behind while we're doing that, so that maybe we can help businesses avoid having to do that.

Brendan, what about the headline results this year? We've just heard why you're doing the survey. How has the ransomware threat changed since this time last year.

Brendan, what about the headline results this year? We've just heard why you're doing the survey. How has the ransomware threat changed since this time last year.

It's a good question, Sean. There are a lot of key findings from our twenty twenty four survey, so I'll do my best to talk to the critic ones and the ones that really stand out. But what it does show is or reveal, is that twenty four percent of Australian businesses that experienced a ransomware attack in the past five years actually chose to pay the ransom. Additionally, seventy five percent of these businesses reported paying the ransom within forty eight hours, which remains unchanged from last year. Now, according to the research, there has been a significant increase in ransomware payments, with the average payment soaring to one point three to five million Australian dollars. Now. That's up from just over a million dollars in twenty twenty three. Now, interestingly, eighty three percent of businesses, including those that haven't yet been attacked, stated that they would be willing to pay a cyber ransom and seventy nine percent of executives believe it should be mandatory for businesses to report a ransomware attack. Now, if we look at the groups responsible for these attacks, among respondents whose business experienced an attack in the past five years, almost twenty eight percent of these can be tied back to just two threat groups known as lockbit and and some hub. But overall, surely what we're seeing is a return to the highs of the results we saw in twenty twenty two.

It's a good question, Sean. There are a lot of key findings from our twenty twenty four survey, so I'll do my best to talk to the critic ones and the ones that really stand out. But what it does show is or reveal, is that twenty four percent of Australian businesses that experienced a ransomware attack in the past five years actually chose to pay the ransom. Additionally, seventy five percent of these businesses reported paying the ransom within forty eight hours, which remains unchanged from last year. Now, according to the research, there has been a significant increase in ransomware payments, with the average payment soaring to one point three to five million Australian dollars. Now. That's up from just over a million dollars in twenty twenty three. Now, interestingly, eighty three percent of businesses, including those that haven't yet been attacked, stated that they would be willing to pay a cyber ransom and seventy nine percent of executives believe it should be mandatory for businesses to report a ransomware attack. Now, if we look at the groups responsible for these attacks, among respondents whose business experienced an attack in the past five years, almost twenty eight percent of these can be tied back to just two threat groups known as lockbit and and some hub. But overall, surely what we're seeing is a return to the highs of the results we saw in twenty twenty two.

What amazes me in this, Darren, is it people are so willing to pay, Like, particularly given government legislation and all the talk about it, but people in these high pressure situations seem willing to pay.

What amazes me in this, Darren, is it people are so willing to pay, Like, particularly given government legislation and all the talk about it, but people in these high pressure situations seem willing to pay.

Yeah, it feels that way. Funny enough, no one wants to pay, and that is clear every time we're in an incident or in a crisis with a business. They absolutely, under these circumstance want to actually go through a process of having to pay an extortion, which is what that is. A lot of businesses feel that it's the right thing to do, and unfortunately, we've got ourselves into a position where we can justify those actions quite easily. One of the things that we do is we do tabletop simulations with businesses. Almost every week, we're simulating a cyber attack with the border an executive and running through this type of event. And often even in those simulations, we're seeing businesses can justify that this is the right thing to do. The research this year showed a shift in what we saw last year. So last year what we saw is that businesses were we're going to pay because they were going to minimize harm to others. So at this point, we've lost someone's data. We've got a situation where the threat is we are going to lead all this information out or misuse that information to cause other people harm. You know that information that you're trying to safe keep. That was a real push by threat actor groups to try to encourage us to make those payments. They're always changing their tactics to be better this year though the research shows it just as many times as that threat that still exists of I want to protect businesses from making it any worse than I already have. Because this has happened, they're needing to pay to get their operations back up and running. So the business needs to get back up and running quick. They need to get their systems up and running because of generally the costs and being down and quite significant. And what we're definitely seeing is that the longer you are down, the more impact is supply chain and the businesses around, and the more pressure that you will feel on your brand.

Yeah, it feels that way. Funny enough, no one wants to pay, and that is clear every time we're in an incident or in a crisis with a business. They absolutely, under these circumstance want to actually go through a process of having to pay an extortion, which is what that is. A lot of businesses feel that it's the right thing to do, and unfortunately, we've got ourselves into a position where we can justify those actions quite easily. One of the things that we do is we do tabletop simulations with businesses. Almost every week, we're simulating a cyber attack with the border an executive and running through this type of event. And often even in those simulations, we're seeing businesses can justify that this is the right thing to do. The research this year showed a shift in what we saw last year. So last year what we saw is that businesses were we're going to pay because they were going to minimize harm to others. So at this point, we've lost someone's data. We've got a situation where the threat is we are going to lead all this information out or misuse that information to cause other people harm. You know that information that you're trying to safe keep. That was a real push by threat actor groups to try to encourage us to make those payments. They're always changing their tactics to be better this year though the research shows it just as many times as that threat that still exists of I want to protect businesses from making it any worse than I already have. Because this has happened, they're needing to pay to get their operations back up and running. So the business needs to get back up and running quick. They need to get their systems up and running because of generally the costs and being down and quite significant. And what we're definitely seeing is that the longer you are down, the more impact is supply chain and the businesses around, and the more pressure that you will feel on your brand.

Stay with me, we'll be back in a minute. I'm speaking to Darren Hopkins and Brendan Payne, cyber Partners at mcgard nickel Advisory. Okay, Brendan, when a business leaders facing a ransomware attack, what are they considering? I'm sure there must be other hidden costs, non obvious impacts to the businesses that the executive has to think about, well beyond the one point three to five million which is the average payout. Yeah.

Stay with me, we'll be back in a minute. I'm speaking to Darren Hopkins and Brendan Payne, cyber Partners at mcgard nickel Advisory. Okay, Brendan, when a business leaders facing a ransomware attack, what are they considering? I'm sure there must be other hidden costs, non obvious impacts to the businesses that the executive has to think about, well beyond the one point three to five million which is the average payout. Yeah.

Absolutely, Look, Darren and I and the mcgranical team work quite closely with businesses regularly on cyber instance and I think what we see most is the importance of being able to respond quickly in order to contain the attack and ultimately minimize the damage, some of which Darren just spoke to. So this is where our best practice incident response plan is really critical and key for an organization. It details the roles and responsibilities and the event of an attack, including decisions on whether the business will pay a ransom and negotiate. It outlines recovery steps, communication plans, and the details of a person responsible for reporting the incident to the authorities and excel advisors if necessary. Now, in relation to the costs, whether it's hidden or unexpected, you know there could be a financial impact associated with downtime or business interruption and recovery efforts. This is where a cyber insurance policy can really pay off. Reputation or brand damage should also be considered, leading to a loss of customer trust and businesses. I think we've seen that numerous times in the sort of past couple of years, and depending on what information has been compromised, there's also a risk of data loss and intellectual property having a long lasting effect on the business. And finally, the last thing I'll add is the organization may face legal and regal consequences which could result in potential fines for non compliance, which obviously has a cost attributed to it as well.

Absolutely, Look, Darren and I and the mcgranical team work quite closely with businesses regularly on cyber instance and I think what we see most is the importance of being able to respond quickly in order to contain the attack and ultimately minimize the damage, some of which Darren just spoke to. So this is where our best practice incident response plan is really critical and key for an organization. It details the roles and responsibilities and the event of an attack, including decisions on whether the business will pay a ransom and negotiate. It outlines recovery steps, communication plans, and the details of a person responsible for reporting the incident to the authorities and excel advisors if necessary. Now, in relation to the costs, whether it's hidden or unexpected, you know there could be a financial impact associated with downtime or business interruption and recovery efforts. This is where a cyber insurance policy can really pay off. Reputation or brand damage should also be considered, leading to a loss of customer trust and businesses. I think we've seen that numerous times in the sort of past couple of years, and depending on what information has been compromised, there's also a risk of data loss and intellectual property having a long lasting effect on the business. And finally, the last thing I'll add is the organization may face legal and regal consequences which could result in potential fines for non compliance, which obviously has a cost attributed to it as well.

Okay, so that leads us into the idea, Darren of the federal government's mandatry was proposed mandatory ransomware reporting changes. What does the survey say about business's attitudes towards reporting, When will they kick in? Do you think they'll have the desired effect?

Okay, so that leads us into the idea, Darren of the federal government's mandatry was proposed mandatory ransomware reporting changes. What does the survey say about business's attitudes towards reporting, When will they kick in? Do you think they'll have the desired effect?

Yeah, So the changes that are coming through at the moment with this new cybersecurity bill that's been put forward, which has a section in there around mandatory reporting of a RANTSOM payment to businesses. There's been something we've been watching for a while. A few years ago, there was going to be a ransomware bill itself, and it was bipartisan approval for this bill to go through. And they're even talking back then about potentially making it not legal, so banning payments and maybe with some safe harbor provisions around in certain circumstances it might be okay, but generally we didn't want anyone to be able to pay. Still think that would have been the best outcome, because what we've got now is this regime where if you if you pay a ransom, you've got seventy two hours to report that back to the government. And if you don't report that, there's a small penalty of non reporting sixty penalty units, you know, eight or nine doles, not a lot of not a significant penalty by any means. So when we asked during the survey what business has thought about reporting, generally, the vast majority seventy nine percent said yes, we think we should be reporting these ransomware attacks of the government. So there doesn't seem to be any any angst around reporting if it's legal. And you know, quite often I'm seeing businesses justify this because their insurance even covers it. You know, if I insurer is going to pay for the ransom payment, then then it can't be that bad. Yeah, they will make the decision they think their business needs, and if they just have to report, then so be it. I think the government was hoping that this might be a mechanism to reduce the likelihood of people paying because you can keep it secret, you've got to talk and tell the government about it. The other thing I don't particularly agree with with the Act is that it has a small business provision it's for businesses over three million dollars that have to report. Our survey deliberately looks at small business sme larger and enterprise, and our stats show that it is a large number of smaller businesses are getting hit. That's the vast majority of the businesses that don't have the controls for victim and pay and they're going to be exempt anyway, Darren.

Yeah, So the changes that are coming through at the moment with this new cybersecurity bill that's been put forward, which has a section in there around mandatory reporting of a RANTSOM payment to businesses. There's been something we've been watching for a while. A few years ago, there was going to be a ransomware bill itself, and it was bipartisan approval for this bill to go through. And they're even talking back then about potentially making it not legal, so banning payments and maybe with some safe harbor provisions around in certain circumstances it might be okay, but generally we didn't want anyone to be able to pay. Still think that would have been the best outcome, because what we've got now is this regime where if you if you pay a ransom, you've got seventy two hours to report that back to the government. And if you don't report that, there's a small penalty of non reporting sixty penalty units, you know, eight or nine doles, not a lot of not a significant penalty by any means. So when we asked during the survey what business has thought about reporting, generally, the vast majority seventy nine percent said yes, we think we should be reporting these ransomware attacks of the government. So there doesn't seem to be any any angst around reporting if it's legal. And you know, quite often I'm seeing businesses justify this because their insurance even covers it. You know, if I insurer is going to pay for the ransom payment, then then it can't be that bad. Yeah, they will make the decision they think their business needs, and if they just have to report, then so be it. I think the government was hoping that this might be a mechanism to reduce the likelihood of people paying because you can keep it secret, you've got to talk and tell the government about it. The other thing I don't particularly agree with with the Act is that it has a small business provision it's for businesses over three million dollars that have to report. Our survey deliberately looks at small business sme larger and enterprise, and our stats show that it is a large number of smaller businesses are getting hit. That's the vast majority of the businesses that don't have the controls for victim and pay and they're going to be exempt anyway, Darren.

Can they afford the ransomware? Can they afford the amount of money being asked with in a small business?

Can they afford the ransomware? Can they afford the amount of money being asked with in a small business?

This is where I think the threat actor groups. You know, these hacking groups are really good. You know, they're businesses and to go off and try to ask a small business to pay ten million dollars, that they get to know who they've they've successfully attacked, and they'll make sure that the extortion amount fits within the mechanism and the means for that business to pay, and quite often it might be around five percent of their revenue. So it's not it's not an easy amount of money to find, but certainly every time we've seen these things, most businesses can afford it, and you can negotiate, and we've seen the negotiations where we say we can't afford that much money. It's been a tough year. It's post COVID, and they will come back and give you a discount until you can get to a point that you're both comfortable that you'll ever be comfortable paying.

This is where I think the threat actor groups. You know, these hacking groups are really good. You know, they're businesses and to go off and try to ask a small business to pay ten million dollars, that they get to know who they've they've successfully attacked, and they'll make sure that the extortion amount fits within the mechanism and the means for that business to pay, and quite often it might be around five percent of their revenue. So it's not it's not an easy amount of money to find, but certainly every time we've seen these things, most businesses can afford it, and you can negotiate, and we've seen the negotiations where we say we can't afford that much money. It's been a tough year. It's post COVID, and they will come back and give you a discount until you can get to a point that you're both comfortable that you'll ever be comfortable paying.

I don't think so, Brendon, were the ninety percent of executives say that their organizations are prepared for a ransomware attack? Is that what you're seeing in terms of actual preparedness on the ground.

I don't think so, Brendon, were the ninety percent of executives say that their organizations are prepared for a ransomware attack? Is that what you're seeing in terms of actual preparedness on the ground.

Yeah, Having worked dozens of incidents this year alone shown into surprising number. That's a certain look compared to previous years. More respondents believe their business is prepared in responding to a cyber attacks. I think it's ninety three percent in this year's results, up from eighty eight percent in twenty twenty three, inclusives of nearly one in two, so forty eight percent who believe their business is very prepared to respond, and that was up from thirty five percent next year. Now just three in ten or twenty eight percent of respondents who don't have or are unsure if their business has an instant response plan say their business is very prepared in responding to an attack. Which is interesting because I can assure you if you don't have an instant response plan in place, then you're likely not prepared to respond to one. Those in larger businesses, so by larger, I'm referring to two hundred and fifty employees or more are more likely to say that their business is very prepared in responding to an attack than those with, say, fifty to two hundred and forty nine employees. And finally, those in newer companies are aged up to ten years, are more likely than those in older companies over ten years to believe their business is very prepared and responding to a cyber attack. So, yeah, certainly some interesting results there.

Yeah, Having worked dozens of incidents this year alone shown into surprising number. That's a certain look compared to previous years. More respondents believe their business is prepared in responding to a cyber attacks. I think it's ninety three percent in this year's results, up from eighty eight percent in twenty twenty three, inclusives of nearly one in two, so forty eight percent who believe their business is very prepared to respond, and that was up from thirty five percent next year. Now just three in ten or twenty eight percent of respondents who don't have or are unsure if their business has an instant response plan say their business is very prepared in responding to an attack. Which is interesting because I can assure you if you don't have an instant response plan in place, then you're likely not prepared to respond to one. Those in larger businesses, so by larger, I'm referring to two hundred and fifty employees or more are more likely to say that their business is very prepared in responding to an attack than those with, say, fifty to two hundred and forty nine employees. And finally, those in newer companies are aged up to ten years, are more likely than those in older companies over ten years to believe their business is very prepared and responding to a cyber attack. So, yeah, certainly some interesting results there.

Yeah, so there are numbers, Darren, do you think, I mean, you've tracked this for a few years now, do you think the senior execs are now more prepared for ransomware attacks? Broadly? Just sort of almost a gut feel as much as anything.

Yeah, so there are numbers, Darren, do you think, I mean, you've tracked this for a few years now, do you think the senior execs are now more prepared for ransomware attacks? Broadly? Just sort of almost a gut feel as much as anything.

Look, executives and boards are absolutely aware of the risk and they know the issue. The regulators are making it very clear to all those business leaders that this is something you have to be prepared for, you have to plan for, and you have to demonstrate as an executive or an owner or as a director that you're doing enough. And the penalties that we're seeing come out of these regulators for getting this wrong are significant. You know, we're talking, you know, fines of fifty million dollars and more for getting this wrong. And we're all now also seeing us and other regulator has been very vocal about those obligations. So yes, businesses are aware and are doing a lot more, and we're actually even starting to see businesses asking to do more preparedness type work. But is it enough? And you know, where Australia is a country with a lot of small business you know, vast majority of our businesses out there are smaller businesses. They don't have the funds support to do enough. And we are seeing them for victim and they will make it generally a call around what's going to be right for their business and it may not be the right thing in any event for others, but at the moment they're pretty much exempt from these issues. I know, small businesses are still exempt from the Privacy Act around notifiable data breaches, so you know, it is one of those things that's just going to continue to need change.

Look, executives and boards are absolutely aware of the risk and they know the issue. The regulators are making it very clear to all those business leaders that this is something you have to be prepared for, you have to plan for, and you have to demonstrate as an executive or an owner or as a director that you're doing enough. And the penalties that we're seeing come out of these regulators for getting this wrong are significant. You know, we're talking, you know, fines of fifty million dollars and more for getting this wrong. And we're all now also seeing us and other regulator has been very vocal about those obligations. So yes, businesses are aware and are doing a lot more, and we're actually even starting to see businesses asking to do more preparedness type work. But is it enough? And you know, where Australia is a country with a lot of small business you know, vast majority of our businesses out there are smaller businesses. They don't have the funds support to do enough. And we are seeing them for victim and they will make it generally a call around what's going to be right for their business and it may not be the right thing in any event for others, but at the moment they're pretty much exempt from these issues. I know, small businesses are still exempt from the Privacy Act around notifiable data breaches, so you know, it is one of those things that's just going to continue to need change.

Finishing the podcast on an upbeat note, Darren, what are the positive trends that have emerged.

Finishing the podcast on an upbeat note, Darren, what are the positive trends that have emerged.

Look, there is certainly some positives that come out. We've seen more businesses seeing the insurance to safeguard the business is something important. There's something they've put in place. Interestingly enough, you know Brendan was suggesting and was talking to the planning and the work that businesses are doing to get ready. It is and we are seeing some of those trends come up, and there's obviously a significant investment in the last twelve months businesses have made to be prepared for this to happen, and certainly everyone knows of the problem, so they're all good things. There's never a real high you can end on when we're talking about ransomware. In my book, the one thing we would love to see is something that really does turn the dial in this country and makes it difficult or impossible for us to keep supporting organized crime in the way that we are. And whilst I understand it completely why this happens and how we're protecting individuals and we're protecting businesses, we've just got ourselves into this position where it's a business that will continue for a very long time unless something really changes.

Look, there is certainly some positives that come out. We've seen more businesses seeing the insurance to safeguard the business is something important. There's something they've put in place. Interestingly enough, you know Brendan was suggesting and was talking to the planning and the work that businesses are doing to get ready. It is and we are seeing some of those trends come up, and there's obviously a significant investment in the last twelve months businesses have made to be prepared for this to happen, and certainly everyone knows of the problem, so they're all good things. There's never a real high you can end on when we're talking about ransomware. In my book, the one thing we would love to see is something that really does turn the dial in this country and makes it difficult or impossible for us to keep supporting organized crime in the way that we are. And whilst I understand it completely why this happens and how we're protecting individuals and we're protecting businesses, we've just got ourselves into this position where it's a business that will continue for a very long time unless something really changes.

Darren Brendan, thank you for talking to Fear and Greed.

Darren Brendan, thank you for talking to Fear and Greed.

Thanks Sean.

Thanks Sean.

Thanks that was Darren Hopkins and Brendan Payne cyber partners at mcgar nickel Advisory, which is a great supporter of this podcast. This is the Fear and Greed, a business interview. Join us every morning from a full episode of Fear and Greed. Daily business news for people who make their own decisions. I'm Chanelma know you Diehm

Thanks that was Darren Hopkins and Brendan Payne cyber partners at mcgar nickel Advisory, which is a great supporter of this podcast. This is the Fear and Greed, a business interview. Join us every morning from a full episode of Fear and Greed. Daily business news for people who make their own decisions. I'm Chanelma know you Diehm