Ransomware and the cost of recovery

Should businesses in the middle of a ransomware attack pay up? AUCloud’s Phil Dawson and Peter Farrelly discuss data sovereignty, cybersecurity practices and the state of ransomware attacks in Australia.


AUCloud is a sovereign cloud infrastructure-as-a-service provider. That concept is essential to everything you say about the company, so has that focus been intentional?

Phil: Absolutely. When you step back, data isn’t just data. It’s not just account data about customers – it’s metadata, it’s monitoring data and it’s the derived data that you get through analytics. One of the aspects of being sovereign is to protect what ultimately the customer should be concerned about, which is data. The confidentiality, the integrity and the variability of their data.

As a sovereign cloud provider, we’re not only owned by Australians – we’re an ASX-listed company – we not only operate from Australia and Australian locations, but we’re staffed by Australian citizens who are cleared to Australian security vetting standards, which reduces the risk vector to the infrastructure and the people who are protecting that data.

The other aspect is that data practitioners and national security agencies can infer a significant amount of insight from the metadata, monitoring data and analytics data that they can access in transit. The government officials are acting as custodians of all that data, on behalf of their citizens. If you look at the traditional information security triad of confidentiality, integrity and availability, there’s a lot of focus put on availability – and that’s a good thing. But you also need to consider the confidentiality implications of metadata and the risk implications to the integrity of the data through insights that can be gained from that metadata and compromised systems.

So why is sovereignty important? If you take the perspective of an overseas operator of an application or infrastructure-as-a-service, they may say the source data is hosted in an Australian data centre, and that data centre may even be up to government standards for that particular data classification. But more often than not, the metadata – which is absolutely necessary for them to operate in the way that they do with a global operating model – is accessed overseas. The support centres are often run from overseas. From an Australian perspective, maybe they are in Singapore or Ireland or Seattle. And that support centre itself is accessing the metadata to enable it to deliver its support criteria. 

Given the increasing scale and complexity of ransomware and cyberattacks, why are so many organisations still operating with outdated and insecure cybersecurity approaches and systems?

Peter: There’s a variety of reasons. A lot of organisations are doing the best they can with the resources that are available. But security, in many senses, has come a long way as far as being central to businesses or even a topic of discussion in boardrooms. Like any business allocating budgets and resources, it very much tends to be a discussion that’s based on priorities.

In times gone by, security hasn’t always been a priority, unless of course you’ve been the victim of a cyberattack or you’ve experienced a significant incident. But that attitude is changing. With organisations such as the Australian Cyber Security Centre – and even a lot of people from the banking industry – they’re doing a lot of work to promote cybersecurity, but there’s still more to be done.

2020 and the effect of the pandemic has actually been a good one for security. We’ve all had to adapt and change the way that we’ve worked, especially for people who are interacting with their staff and customers. I think many of those discussions have led with security as a topic and it’s really put it at the forefront of the minds of directors in organisations.

So is security too big a problem to solve? I don’t think so. There’s still lots of simple things that people can do well, that organisations can do to protect themselves. Ransomware overall is a significant risk. And if we look at the trends over the last few years, it’s definitely not a problem that’s going away any time soon – not as long as cybercriminals can profit from it. 

Do you think that some organisations are still looking at it through the lens of “This won’t happen to us”?

Peter: I can’t speak for everyone, but I think that some people may be hedging their bets. Sometimes they might look at it from an organisational perspective and go, “Why would we be a target?”

But ultimately that comes back to understanding the value of your data. Are you collecting information for business purposes or conducting transactions with customers or members of the public? The thing that’s changed in recent times is that people now understand that data has a value. It’s not just me accessing a website or buying something online – when you do those things, it has an intrinsic value to an organisation.

What are your thoughts on the way we’re all working right now in regards to remote working? Has it impacted cybersecurity?

Phil: Undoubtedly. At a simple level, the risk factor has increased significantly from when your staff were in your offices that were physically secure. You might have had biometric identity to get them into the physical building. You probably ran in a local area network. There were controls. Now you’ve got remote working where a significant proportion – if not all of your staff – are working from home. You may not know what location they are working from, or how they’re working. They may be on Wi-Fi that is insecure. You don’t know who’s looking over their shoulder.

You can employ smart people who are educated and you can do a lot of training to mitigate the risks, but going from a small number of remote workers in a team to most – if not all of them – working remotely, that changes the risk factor as well as the implications. So you’ve got to adjust your systems to accommodate new processes and reinforce your education. 

What would you say to businesses who are in the middle of a ransomware attack right now – should they pay?

Phil: To take it one stage back from that, I would say do everything you can to avoid getting into that situation in the first place. You need to war-game those potential risks before you find yourself in them. Collectively as a board of directors or a tech team or a customer-facing team, you need to understand what that means. What are you going to do in that scenario? How are you going to manage it? How are you going to communicate with your supply chain, your customers, your stakeholders, your staff – all while you are still in the middle of it?

As part of that war-gaming, you’ve probably got to consider the legality of actually paying a ransom. What are the legal implications not only for the company, but for you personally? You may just break the corporate veil at that point and become personally liable for doing so. I know through some of my own conversations, governments have been looking at whether to actually make it illegal to pay a cyber ransom, including the threat of jail to the director who does so. If a potential blackmailer knew that the individual acting for a corporation couldn’t pay the ransom – because they would ultimately go to jail themselves – that would limit the market. It reduces the potential of that attack in the first place, which is almost always economic. 


Want more insight into the world of security, identity access management, biometrics and more? Get your weekly fix with the Identity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.