Executives shrug off cyber ransoms as ‘cost of doing business’
Three-quarters of businesses surveyed by McGrathNicol suffered an attack in the past five years, paying an average ransom of $1.03 million.
The threat of cyber ransoms has become normalised in the business community, with owners and executives choosing to meet hackers’ demands despite government advice, a survey finds.
Advisory and restructuring firm McGrathNicol’s annual survey of 500 leaders of medium and large businesses found that 73 per cent of ransomware attack victims chose to pay an average ransom of $1.03 million in 2023.
While the government has advised businesses to adopt a hardline “never pay ransoms” approach, cyber partner Darren Hopkins said most businesses would rather pay up than face negative backlash from customers, partners and stakeholders.
“Businesses are still overwhelmingly paying ransoms, and paying them quickly,” he said.
Partner Blare Sutton (pictured) said the ransom amounts were set for each organisation based on how much they could afford to lose and whether they had cyber insurance.
“Hackers that set the price are generally the ones conducting the extortion effort themselves and they will research the victim, looking at the reported revenue and profitability and if they’ve got cyber insurance,” he said.
The survey, started in 2021, found that 56 per cent of respondents faced a ransomware attack in the past five years, down from a high of 69 per cent in 2022 but still “well above” a low of 31 per cent in 2021.
Two in three business leaders (66 per cent) chose to negotiate with hackers before paying a ransom to validate the threat, but ransom demands were generally met very quickly. Three-quarters of respondents reported paying ransoms within 48 hours and 37 per cent made payments within 24 hours, the survey found.
Mr Sutton said ransomware attacks had become a constant business problem, and their threat was increasingly normalised in the eyes of business leaders, who viewed cyber risk like other business risks.
“Businesses are pretty well versed in dealing with risk, identifying and mitigating it, and cyber risk is seen as being no different to the 20 other risks they face,” Mr Sutton said.
“The longer it is a significant threat, the more businesses become informed about what the process to deal with it is, and how to manage it. And they can apply general business rules to what is essentially a criminal activity.”
Similarly, Mr Hopkins said ransomware payments had become “a cost of doing business” for organisations.
Business leaders were less likely to report attacks than ever, with 40 per cent of respondents believing that mandatory reporting was unnecessary.
External risk factors were the motivation behind 74 per cent of respondents paying ransoms as many believed the possibility of avoiding unknown consequences, such as brand damage and potential harm to stakeholders, outweighed the financial cost of ransoms.
“Businesses want to minimise any further harm to parties that were potentially involved, protect their shareholders by reducing the attack’s impact, and maintain their organisation’s reputation by keeping themselves out of the media,” Mr Sutton said.
Mr Sutton said paying ransoms failed to make businesses safer, but instead would fund the activities of cyber criminals to evolve and diversify their attacks.
However, he also acknowledged that the decision to pay a ransom was a “deeply complex question”.
“You have to consider the moral, ethical and legal drivers and impacts.”
“I will never judge a business that does pay the ransom. But the fact is that if you pay, you are funding further crime. So, you need to understand your civic duties and balance that with your obligations to your business. Unfortunately, it’s not a black and white decision.”