While cyber attacks on huge telcos, airlines and superannuation funds grab the headlines, small and medium-sized business owners are increasingly being seen as easy targets.In an alarming new study of the Australians whose devices have been slowed or seized by hackers, experts warned paying up to protect business reputations could be throwing away money for nothing and even earning a place on “sucker lists” for repeated targeting.
The report based on the 2023 Australian Cybercrime Survey found nearly 5 per cent of respondents had received a ransom message on their device in the previous year, well up on the 2.1 per cent just two years earlier.
While cyber attacks on huge telcos, airlines and superannuation funds grab the headlines, small and medium-sized business owners are increasingly being seen as easy targets. (Getty Images/iStockphoto)
What’s more, many were targeted multiple times, particularly if they chose to cave in to the ransomware criminals’ demands.
“SME [small to medium enterprise] owners were more likely to have received multiple messages and to have previously paid a ransom.
“Strong messaging should dissuade SME owners from making these payments, which increase the chances of repeat victimisation.”
While some scammers use ransomware – malicious software that encrypts or blocks access to files until a user has paid a ransom – to go “big game hunting” for large companies, the authors noted the majority went after SMEs.
Those in the multibillion-dollar global industry considered them “lucrative targets” due to generally having less sophisticated cybersecurity but enough revenue, data and access to other potential victims to be worthwhile.
Voce and Morgan found that among the 331 victims studied, the amount of money demanded was often relatively small, a mean of about $12,000 for business owners and $7000 for others. The median figure was much lower, less than $500 for almost 60 per cent of victims.
The researchers stressed how important it was to push out stronger messaging of the government’s advice to never pay a ransom (A Current Affair)
But the researchers stressed how important it was to push out stronger messaging of the government’s advice to never pay a ransom, particularly in light of the “sucker lists” cybercriminals reportedly share among themselves featuring individuals and organisations who have made previous payments.
“Importantly, over 40 per cent of SME owners had paid in response to one of these previous ransom messages, a significantly higher proportion than among other victims,” the report found.
“SME owners were also more likely to have paid following the most recent ransomware incident.
“This fuels the ransomware business model and can make SME owners appear to be easy to scare and manipulate, increasing their chances of repeat victimisation.”
Business owners (22.6 per cent) were much more likely to have paid the ransom than non-owners (7.6 per cent) but the researchers warned payment was no “guarantee that files and systems will be restored and data will not be sold or shared”.
Scarily, a quarter of ransomware reports to the Australian Cyber Security Centre involved “double extortion”, where victims were also pushed for money to stop their information leaking.
The report called for better education about how to spot and avoid suspicious links, respond to third-party data breaches and manage personal devices or working from home, as well as help to help victims remove the malware.
But they warned that was not enough, saying “there must also be technological solutions that can help protect business owners”.
