Ransomware attacks on Aussie businesses jump four-fold

The Australian Cyber Security Centre’s 2015 business survey has uncovered a dramatic surge in the rate of ransomware attacks over the last two years.

The ACSC, in partnership with CERT Australia, today published the findings (pdf) of a survey of 149 Australian businesses on cyber security experiences in the past year.

The pair did not name the respondents involved, but described the cohort as “major Australian businesses that partner with CERT Australia, and that underpin the social and economic welfare of Australia”.

Seventy-two percent of all respondents reported having been affected by ransomware at some point in the year, a more than four-fold increase from 17 percent in 2013.

“Ransomware also affected every sector that had experienced a cyber security incident, which demonstrates the indiscriminate targeting and the sophistication of this type of threat,” the report stated.

The jump has made ransomware the most common threat type amongst the ACSC’s respondents, up from sixth the last time the survey was conducted.

Half of all businesses that participated in the review admitted they had suffered some sort of attack that compromised the confidentiality, integrity or availability of data and systems in the year.

The frequency of most other threat types remained stable from the 2013 data, with malware and targeted malicious emails ranking second and third respectively.

Ransomware also rose to the top of the list of industry fears, followed by theft or breach of confidential information and advanced persistent threats.

As the government gears up to enter mandatory data breach notification laws into parliament, the ACSC also found that nearly half of surveyed businesses are still keeping intrusions secret.

The survey revealed that 51 percent of respondents did report security incidents, to either CERT Australia, law enforcement or another government regulator.

Just under 43 percent, however did not report identified incidents to anyone.

The ACSC found that 60 percent of the non-reporters said they could not see any discernible benefit from reporting. Other popular excuses included the fear of negative publicity and a lack of faith that the assailant would ever be caught.

“These findings indicate that Australian businesses are yet to be convinced about the benefit of reporting, but also that many incidents are considered too minor to report,” the report concluded.

Eight percent of respondents said they didn’t even know if their systems had been breached or not.

The ACSC - the face of the co-ordinated cyber defence wings of the Australian Signals Directorate, Attorney General’s Department, ASIO, the Australian Federal Police and the Australian Crime Commission - has asked the business community to look at the big picture advantages of an open dialogue about cyber security.

“By understanding the enablers, we can make it harder and less rewarding to commit cybercrime, therefore making Australia a safer place to do business,” the report argues.