DR pain leading more businesses to pay out ransomware hackers: Hammel

  • Patrick Buncsi
  • 21 August 2024
Ransomware lock

An increasing number of corporate businesses appear more than willing to pay out ransomware payments to free their captured data due to the excessive time and inconvenience of restoring high-volume backups, according to Allianz’s global cybersecurity chief.

Thomas Hammel, divisional information security officer at Allianz Technology, Munich, the insurance giant’s global IT services provider, says that an increasing number of corporates are “realising that their backup or restore systems aren’t as effective as they used to be”.

With enterprise data resources growing to tens if not hundreds of petabytes (one petabyte equalling 1,000 terabytes), the required time to restore these lost data assets could stretch into multiple days if not weeks – an untenable period of downtime for almost any business.

“As we see data volumes quadruple [or] grow exponentially, the restoration of this data becomes much more challenging,” Hammel said during a panel discussion at the Future of Security Sydney 2024 conference.

As such, paying the demanded ‘ransom’ for the encryption key to release captured data has become an increasingly viable, if controversial, option for many businesses – despite these payments, arguably, encouraging more attacks on other like businesses or indeed reattacks on previous victims.

(One study revealed that almost four in five organisations who paid a ransom demand were hit by a second ransomware attack, often by the same threat actor; nearly two-thirds of victim businesses were also required to pay more on the second instance).

Cybersecurity vendor Crowdstrike estimates that more than two-thirds (67 per cent) of Australian organisations have been victims of a ransomware attack. On average, another vendor estimates, Australian businesses pay out $250,000 per ransomware incident.

For Brendan Revell, Defence Bank’s head of information security, the banking regulator’s strict data backup rules have encouraged greater resilience among regulated businesses.

While admitting that APRA’s heavy-handed approach is both a “blessing and a curse” for regulated entities, the mandating of regular backup testing does, Revell said, instil greater confidence and “comfort” in businesses that they have the resilience and preparedness to withstand a data loss incident.

Adequate data backups are mandated under APRA’s CPS 234 Information Security standards, and remain a core recommendation of the Essential Eight.

However, Hammel cautions that regulators’ backup and DR requirements serve only as a minimum benchmark, far from real-world impact of a data breach incident.

“The evidence that you’re required to supply [to regulators] that shows that you’re able to do that only requires that you sample a small piece of data,” Hammel said.

“If you have petabytes of data in your data centre and suddenly it’s gone, trying to restore 300 petabytes of data even with today’s infrastructure and high data volume machinery, you’re not going to be able to do that in a short period of time.”

APRA has flagged its own concerns with regulated businesses’ data backup and restoration practices. Earlier this year the regulator issued a letter to reporting entities noting that it had observed weaknesses in organisations’ use of data backups, including “insufficient testing of capability to recover systems and data within tolerance levels from backups”.

 

Share This Post
Related News
Sydney launch
Leading trade surveillance fintech makes Aussie debut
Genetic testing
Govt bans genetic testing by life insurers
New Zealand AI adoption
In-house AI development falls short, with Kiwi FSIs opting for third-party tech
judobank
Judo migrates loan book to new business lending platform
Peter King and Anthony Miller
Westpac’s King to depart, successor named