Ransomware: A Cost of Doing Business?

13 November 2023

73% of Australian businesses surveyed have suffered a cyber attack in the past five years and paid a ransom.

Following reports in 2021 and 2022, McGrathNicol Advisory continues to map the ransomware threat in Australia to better understand the attitudes and actions of businesses towards this pervasive cyber threat. Partnering with YouGov to survey over 500 Australian business owners, partners, directors and C-Suite leaders of businesses with 50+ employees, this year’s findings reveal that executives are still paying ransoms at a high rate, with softening attitudes towards payments reporting.

Key findings

1. Ransomware remains a significant threat to businesses.

The research shows that 56 percent of Australian businesses have suffered a ransomware attack in the past five years: 42 percent of medium and large businesses have fallen victim to a single attack, while 14 percent have been targeted repeatedly. The five-year ransomware average is down from a high of 69 percent in 2022, but remains well above the 31 percent recorded in 2021 when McGrathNicol started tracking these results. This suggests that while cyber criminals hit a ransomware peak last year, the threat remains as many groups have shifted to other forms of cyber extortion.

2. Businesses are choosing to pay ransoms at an alarmingly high rate.

Of those that did suffer an attack, close to three quarters (73 percent) chose to pay the ransom demand. This is incrementally down from a high of 79 percent in 2022 and 83 percent in 2021, but not enough to suggest that government pressure and regulatory scrutiny are having a significant impact on executives’ decision to pay.

3. Businesses are also paying quickly.

Pointing to the speed at which these decisions are being made, 75 percent of Australian business leaders reported paying a ransom demand in less than 48 hours, and almost two in five (37 percent) reported making the payment within 24 hours. This is consistent with previous years, with 78 percent of companies surveyed in 2022 reporting that they paid within 48 hours, and 74 percent reporting the same in 2021. The figures show that many executives see a ransom payment as the lesser of two evils or simply ‘a cost of doing business’.