It has been reported that it could soon be illegal for companies that fall victim to data breaches to pay ransoms to the hackers. The home affairs minister, Clare O’Neil, confirmed the government was examining whether new laws were needed to stop ransom payments in the wake of the Medibank and Optus data breaches. O’Neil said while short-term successes were needed in cybersecurity reform after the mass hacks, and other long-term outcomes were being considered, including banning ransom payments.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
While making ransom payments illegal could be seen as a “quick win” by the Aussie government, there is no real evidence that such laws lead to a drop in cyberattacks. In place of these supposed quick wins, organizations need to focus on long term protection against such attacks by keeping their systems updated to plug security holes, running regular security scans for malware and viruses, performing daily backups that are kept offline from the main systems, and by educating employees and executives to the risks of phishing attacks, clicking links or attachments in emails and messages, and social networking hacks.
We saw similar laws introduced in North Carolina and Florida (but solely for government entities) in 2021. However, as our analysis into ransomware attacks on US government organizations found, there have been a couple of attacks in these states since. Even though these figures are lower in number than previous years, we’ve noticed a dip in publicly-confirmed ransomware attacks across the board, so it’s difficult to say whether or not the laws have had any effect on attackers’ targets.
Introducing laws to ban ransom payments could discourage hackers but it shouldn’t be the main focus or seen as the “solution” to ransomware attacks. Focusing on preventing ransomware attacks in the first place should be a key priority. Simply stopping a company from paying a ransom won’t solve the extortionate recovery costs organizations often face nor will it better protect personal data. In fact, personal data could be at more risk as hackers will often look to sell the data obtained through these attacks if ransoms aren’t paid.
Ultimately, cybercriminals will always adapt which is why organizations need to be one step ahead. Using a multi-faceted approach which includes various safeguards, such as better cybersecurity training for employees, frequent backups, installing the latest antivirus software, keeping systems up to date, and improving endpoint security, will better protect all types of organizations from such attacks. Prevention is better than cure.