Cyber Ransom Payments Will Need to Be Disclosed By Businesses Under New Laws
The new laws proposed under the Cyber Security Act will push companies to report money being paid to hackers. Businesses will be forced to disclose when they pay ransom to a hacker and prevent the information from being passed on to regulators. The proposal is designed to lift the lid on a flourishing practice of secret payments, fuelling further ransomware attacks.
Here are key highlights of the proposed changes and their likely effect on Australian businesses.
- Small businesses are concerned about the new ransom payment disclosure rules. They fear the proposed $15,000 fines and the low turnover threshold of $3 million could harm their operations.
- The government is trying to balance encouraging transparency with protecting businesses. They are implementing measures to shield businesses from public scrutiny and avoid punitive actions.
- Ransomware attacks are widespread and costly. Many businesses have paid ransoms, and the total amount paid across Australia is significant.
- The government is taking steps to improve cybersecurity overall. This includes establishing a Cyber Incident Review Board and adopting international standards for connected devices.
- There is a need for further reforms. Experts argue that reducing data collection and implementing stronger privacy laws are essential to combatting cyber threats.
- Cybersecurity is a widespread problem: Almost one-third of cybersecurity incidents reported in the 2022-2023 financial year affected the public sector.
- Government cybersecurity is lacking: Consecutive audits have shown a low level of cybersecurity maturity in the government sector despite handling vast amounts of sensitive data.
- Ransomware payments are common: 54% of surveyed businesses admitted to paying a ransom in the last six months, despite having "do not pay" policies.
- Large ransom demands: Many organisations are willing to pay significant sums for ransom, with 60% willing to pay over $1 million and one-third considering payments over $3 million.
That could be the end: Small business ready to push back
Small businesses are worried and facing a backlash against new government rules that require companies to disclose ransomware payments. The Australian Chamber of Commerce and Industry (ACCI) is leading the charge, arguing that the proposed $15,000 fines for non-compliance and the low $3 million turnover threshold could devastate small operators.
The ACCI believes the mandatory reporting burden is excessive, especially for resource-strapped small businesses. They've called for the threshold to be raised to $10 million.
While the government has introduced safeguards to protect businesses from regulatory scrutiny, the ACCI remains concerned about potential identification and prosecution risks.
Cybersecurity experts, however, believe the new rules strike a balance between encouraging transparency and protecting businesses.
Small businesses are worried about a new law that would force them to report ransom payments to the government. They say the new rules and potential fines could put them out of business.
How deep is the rabbit hole?
Ransomware attacks are rife in Australia, with the public and private sectors heavily impacted. Government agencies have been identified as significant targets, with almost a third of cyber incidents reported in the past financial year affecting the public service. Despite handling vast amounts of sensitive data, the government's cybersecurity defences have been deemed inadequate.
The problem extends beyond government. A survey of businesses revealed that over half have paid a ransom in the past six months, with some organisations willing to pay millions of dollars. This highlights the scale of the issue and the financial burden on businesses.
While new laws aim to increase transparency around ransom payments, experts warn that the cyber threat landscape is complex and evolving. There's a need for a comprehensive approach, including improving data management practices, sharing information effectively, and adopting global cybersecurity standards.
In conclusion, Australia is grappling with a severe cybersecurity crisis. Ransomware attacks have become a pervasive threat, targeting both government agencies and businesses. The financial implications are staggering, with companies often paying exorbitant sums to regain access to their data. While the government is taking steps to address the issue, including increased transparency and investment in cybersecurity infrastructure, the challenge remains significant. Ultimately, a multifaceted approach involving collaboration between government, industry, and individuals is essential to mitigate the risks posed by cybercriminals.
Reported on ABC News, written by National Technology Reporter Ange Lavoipierre, 30 July 2024