Australian companies could risk becoming "low-hanging fruit" for cyber criminals due to a lack of education and an unwillingness to properly deal with threats.
Industry giants including the big four banks actively work to combat threats but many small and medium businesses do not properly protect data and then cave in to demands from crooks who hijack their systems, according to financial services firm Deloitte.
James Nunn-Price, who leads Deloitte's Asia Pacific Cyber unit, said companies were failing to report ransomware - which locks users out of their computers until they pay a fee - and instead perpetuate the practice by coughing up the cash.
"I'm amazed at how many Australian businesses pay the money ... certainly some super funds, insurers and corporates pay the money because it's just easier to pay a few hundred dollars and then they wonder why six weeks later they get hit again," Mr Nunn-Price told reporters on Monday.
"They just want the problems solved, pay the money and think that's it. They're not gullible, they made a conscious decision.
"There's a culture of `oh, just sort it out, get it working again and just carry on'."
Mr Nunn-Smith said these companies only reported the issue to police when the amounts involved escalated dramatically.
Former FBI Cyber special agent Mary Galligan, now a Deloitte director, said those not adequately protected - such as through simple password management or only granting employees the access they need to do their jobs - are "the weakest kid on the block" and open to bullying by criminals.
CERT Australia, the national computer emergency response team and a partner agency in the Canberra-based Australian Cyber Security Centre, responded to 11,733 cyber crime incidents in 2014-15.
Tommy Viljoen, who leads Deloitte's Risk Advisory Security team, said businesses need to understand cyber security as well as they understand finance.
"If I say to someone in a boardroom `the bank account hasn't been reconciled for six months and you're in bad shape', the immediate response would be `we've got to sort it out, we've got to do it," Mr Viljoen said.
"If I say `you've got malware on that system and it hasn't been patched for a couple of years', I'll have people looking at me and asking `well, is that important?'.
"We really have a lot of work to do over the course of the next few years if we're not going to be that low-hanging fruit."
Share
