Australian firms overestimate cyber resilience as attacks rise
Research commissioned by Cohesity indicates that many Australian companies overestimate their cyber resilience capabilities, potentially jeopardising business continuity and leading to ransom payments. The study, involving 502 Australian IT and security decision-makers, highlights a rising trend in cyberattacks, particularly ransomware, with many respondents admitting to having paid ransoms over the past year.
According to the respondents, confidence in cyber resilience strategies remains high, with 79% expressing belief in their company's ability to handle growing cyber threats. Despite this confidence, the research revealed that 60% of Australian respondents had experienced a ransomware attack in the past six months. Furthermore, 94% acknowledged that the threat of cyberattacks had increased or would increase in 2024 compared to the previous year, with 48% predicting an increase of over 50% compared to 2023.
Alarmingly, only 7% of respondents asserted that their company would not pay a ransom to recover data and restore business processes. In contrast, 81% stated their company would pay, while 12% said it would depend on the ransom amount. Additionally, 60% of respondents indicated their company would be willing to pay over USD $1 million in ransoms, and 34% would be willing to pay over USD $3 million.
Over half of the respondents (54%) admitted their organisation had paid a ransom in the past year, even though 72% of those organisations had a "do not pay" policy. The breakdown of ransom payments is as follows: 48% paid between USD $1 and USD $249,999, 23% paid between USD $250,000 and USD $499,999, 18% paid between USD $500,000 and USD $999,999, 8% paid between USD $1,000,000 and USD $2,999,999, 3% paid between USD $3,000,000 and USD $4,999,999, and 1% paid between USD $5,000,000 and USD $9,999,999.
Matt Old, Director of Cloud Alliances for Cohesity Asia-Pacific & Japan, commented, "Organisations may have the greatest confidence in their cyber resilience, both in their strategy and capabilities, but the reality is that the majority are paying ransoms or would pay a ransom, which means many organisations overestimate their cyber resilience."
The research also pointed out significant challenges in data recovery and restoration of business processes. Only 5% of respondents said they could recover data and restore business operations within 24 hours. A further 19% could do so within one to three days, 36% within four to six days, 30% within one to two weeks, and 10% said their organisation would require three weeks to two months.
Despite most respondents aiming for an optimum recovery time of one day (97%), only 5% felt they could actually achieve it. This discrepancy stresses the need for more effective cyber resilience strategies.
Old highlighted the importance of modern data security measures, saying, "The most vital element of cyber resilience is the ability to recover business-critical data that restores key business processes. But you can't restore critical data if you don't secure it from external or internal threats first."
The survey also revealed that nearly half (46%) of respondents believed their organisation's visibility of critical data could be improved. In terms of data access control measures, 61% of companies had deployed multi-factor authentication, 56% required multiple approvals for administrative actions, and 53% used role-based access control.
Despite advancements in regulation and legislation, only 53% of respondents felt their organisations had all the necessary IT and security capabilities to identify sensitive data and comply with data privacy laws. However, 83% acknowledged that advanced threat detection, data isolation, and data classification were crucial for qualifying for cyber insurance or securing discounts.
Industries considered most impacted by cyberattacks included IT and technology (56%), banking and wealth management (36%), and financial services (33%). Respondents also indicated that 82% of organisations had responded to AI-based cyber threats in the past year, with 80% stating they had AI-powered solutions to counter these threats.
Old underscored the essential nature of cyber resilience: "Cyber resilience is non-negotiable because the incentive and motivation of attackers is so high, with attack surfaces incredibly vast, so a reliance on protective controls is unrealistic." He urged business leaders to prioritise both data security and data recovery capabilities.