Policy updates could shield Australian businesses from increasing ransomware attacks

The Australian Strategic Policy Institute's International Cyber Policy Centre (ICPC) has issued a report titled Exfiltrate, Encrypt, Extort, laying out the significant risk to Australian businesses that exists without a large-scale domestic effort to prevent hostile takeovers of data and computer systems.

Authored by Rachael Falk, CEO of the Cyber Security Cooperative Research Centre (CSCRC), and Anne-Louise Brown, CSCRC director of corporate affairs, the report warns that Australian organisations are currently viewed as lucrative targets for ransomware due to their often low cyber-security protection.

Ms Falk and Ms Brown argue that the threat is such that businesses and organisations can’t be left to deal with attacks on their own. They want the Australian government to step in with policy measures that will mandate and incentivise greater protection.

Cyber security, they acknowledge, is an expense that carries no immediately “tangible” results. 

For SMEs in particular, this cost can be hard to prioritise, hence increasing the need for government incentivisation in playing a key role in protecting the Australian economy from incurring greater ransomware losses.

“It’s important to note that ransomware attacks are entirely foreseeable and almost always defendable,” Ms Falk and Ms Brown said. 

“In the physical world, organisations pay for security alarms, high fences and sensors to protect their property. And the digital world should be no different.”

One step they advocate for is an extension of full expensing, previously known as instant asset write-offs, to encourage SMEs to take up cyber security measures. 

The temporary full expensing scheme, which was extended in the 2021–22 federal budget, already allows organisations with an annual turnover of less than $5 billion to immediately write off the business portion of the cost of eligible new assets they first use or install by 30 June 2023.

This allows businesses to make full or significant deductions for eligible purchases up front. But as it stands, cyber security assets aren’t clearly defined as a qualifying asset, and currently only bespoke in-house software is covered.

Ms Falk and Ms Brown want to see the scheme broadened to include off-the-shelf products and subscription services, such as cloud storage. Not only would this change provide a tax incentive for businesses, but by opening it up to more widely available products, they anticipate a rapid uptake.

Moreover, the report makes eight targeted policy recommendations to drastically improve the cyber security resilience of businesses of all sizes.

They include establishing that the payment of ransom to secure one’s data or computer systems is not a criminal offence, and creating a dedicated, cross-departmental ransomware taskforce to share threat intelligence and develop federal policies.

For greater transparency, the recommendations include the creation of a non-punitive mandatory reporting regime, the regular publication of ransomware threat actors and aliases, and the expansion of the Australian Cyber Security Centre’s official alert system.

Finally, education, they note, is fundamental. A nationwide public information campaign, as well as a targeted program operating in the business sector, should equip Australians to understand the risks of ransomware, know what to look out for, and prioritise their cyber security.