Food for thought as discussed on May 18, 2023, an article posted in The Australian Insurance Council: Banning paying a ransom to cyber hackers is counter-productive where Andrew Hall, the Chief Executive of the Insurance Council of Australia (ICA), stated that “attempts to ban businesses from paying ransoms for cyber attacks risks eroding trust and relationships with government.”
The premise of this comment comes from the recent Australian Federal Budget announcement of AUD $23.4 million in funding for a program designed to uplift cyber security for 50,000 small businesses with a cyber warden program. The details of this program are yet to be finalized. Mr. Hall encourages more consultation between the government and the small business community.
In relation to the proposed ban on paying ransoms for cyber attacks, Mr Hall brings up a valid point that the “decision for a business to pay or not pay a ransom is a decision for the business.” If a ban on paying ransoms was to come into effect, there is a high chance that businesses would decide to pay to keep their business running despite the potential fallout.
The steady nature of ransomware attacks is a reminder that no company is immune. As the threat landscape continues to evolve, it is more important than ever for Australian businesses to cultivate a security culture. This means having a comprehensive security strategy and focusing on preventative measures to reduce the risk of human error and investing in security technologies.
We can’t (yet) stop ransomware. What we can do is limit the effectiveness and frequency of ransomware by increasing basic cyber awareness.
There are several things that Australian businesses can do to increase their basic cyber hygiene and cultivate a security culture. These include:
- Implement ongoing, relevant, and engaging employee education on security best practices.
- Provide an opportunity for employees to test their knowledge with simulated social engineering activities, e.g., simulated phishing programs.
- Create relevant cyber security policies that specify the desired guidelines, expectations, actions, attitudes, and behaviors aligned with security.