Cloud Hosting

If someone broke into your home, and held all of your possessions to ransom, you would call the police.Right?

Or would you quietly pay whatever sum the thieves were demanding, and get your life back as quickly and easily as possible?

It might be a simple enough decision in a real-world scenario, but when it comes to cyber crime and ransomware, it seems to be much more complex.

Big companies can make good targets for cyber criminals who, in some cases, can extort millions of dollars with a pretty simple operation.

Ransomware attacks often see cyber criminals steal and encrypt data, or damage internal networks, and demand money to undo it.

More Australians are alert to the threat of cyber attacks but are we doing enough to prepare against the threat?

They might even threaten to publish sensitivestolen information, or offer it to competitors.

Sometimes paying the ransom can be easier than asking for help and fighting back.

Policy experts from the Cyber Security Cooperative Research Centre want to make it mandatory for Australian companies to tell authorities when they are being targeted.

And they want more clarity on whether paying ransoms is legal at all.

They warn a "tsunami of cyber crime" has cost the global economy about $1 trillion, and say Australia is a soft target.

In late March staff at Nine arrived at work on a Sunday morning, ready to put the Today show to air only to find they had been the victim of a near-crippling cyber attack.

It rocked the company's operations, with many Sydney-based staff forced to work from home or temporarily move to Melbourne, and it took weeks for workflows to be back to normal.

Nine was very upfront about the attack, and sought the help of authorities like the Australian Signals Directorate in managing it.

Knocking out the news is one thing, but only a few months ago a huge slice of the US was left scrambling for petrol after a ransomware attack knocked out Colonial Pipeline's networks.

Leanne Sherriff

The company was forced to completely shut down its pipelines, responsible for about half of the US East Coast's fuel supplies, for days.

Colonial later confirmed it paid a $US4.4m ($5.6m) ransom.

Australian logistics giant Toll Holdings was hit in two separate attacks last year.

It too worked with experts from the Australian Signals Directorate, and said at the time it had "no intention of engaging with any ransom demands."

And steaks were on the line when global meat processing company JBS Foods paid a $US11 million ($14.2 million) ransom in bitcoin about a month ago.

Its global operations, including in Australia, were all but brought to a standstill by the attack, and the company said it paid the money to avoid data being stolen.

Some experts warn many Australian companies do not fully appreciate the scale of the threats their companies face.

They compare the amount of money paid for security guards, alarms and sensors to protect a company's physical assets, compared to the relatively little money paid for cyber security.

ABC News

Rachael Falk from the Cyber Security Cooperative Research Centre said it is more common, and more serious, than many businesses appreciate.

"I think businesses are still woefully under prepared," she said.

"There are examples happening all around the world, and in Australia, almost on a weekly basis."

There are two things Ms Falk is suggesting the federal government could do to help companies better defend themselves.

The first is to use tax incentives to encourage businesses to invest in their cyber security.

The second is force them to speak up when they suffer an attack, and let authorities and security agencies know,to help protect others in future.

"We're saying be more transparent, because once it's out in the open, it helps everyone," she said.

"I can understand the need to want to protect the company, protect customers, and also the deep need to want to just get on with remediating what's going on, and not have to shout from the rooftops.

"I entirely understand that, but I think being transparent about it is helpful."

Those ideas are being pitched separately to legislation the government is already considering, imposing greater cyber security obligations on operators ofcritical assets like water, health energy and transport.

In a new policy paper, Ms Falk also argues the federal government has to clarify the legalities of paying ransoms.

While the official advice is always against paying ransoms, and instead working with authorities to combat ransomware attacks, some companies do take up the option.

It gets complex, because it is against the law to "deal with"money that could finish up involved in crime.

It is also illegal to provide funds to terrorist organisations which is another risk, in such a circumstance.

It used to be a business needed a lock on its door and a CCTV camera to protect against criminals, now experts say they need to invest in security they cannot see.

But duress is a defence, given the companies can reasonably believe a threat will be carried out if they do not pay.

Ms Falk does not suggest explicitly criminalising the payment of ransoms, arguing doing so would only further add to the burden of ransomware victims.

But she said those facing that difficult prospect should know legally where they stand.

"It will provide the victims with at least some certainty," she said.

"If we pay this, because we have to, we at least won't be facing some sort of action down the track from the Commonwealth that accuses our board of paying a ransom when we shouldn't have."

But she said better defences, and preventing an attack in the first place, were much simpler solutions.

"Ransomware is entirely foreseeable, and every business is at risk," she said.

"It's not just big organisations and household names, it's small companies.

"If they run a computer connected to the internet, they're at risk."

Continued here:
If your company is held hostage, should you pay the ransom? Or should you be forced to tell the authorities? - ABC News