A study from corporate advisory firm McGrathNicol has found most companies are bypassing negotiations, paying cyber criminals a ransom and often within 24 hours to mitigate reputational damage from a breach.

Most executives are willing to pay almost double the ransom they were a year ago – with the average payment totalling $1.28m – to stop a cyber attack, it found.

Medibank is yet to confirm whether it is negotiating with hackers who claimed to have stolen 200GB of sensitive customer information – including medical records, credit card security data and Medicare numbers – let alone say if it’s willing to pay up.

Since the approach, Medibank shares have been suspended from trade on the ASX, a halt expected to last until the Australian Federal Police and Australian Signals Directorate determine what was stolen and who the attackers were.

The hackers have stepped up their demands, threatening to release the personal information of Medibank’s high-profile customers first. This could potentially include information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a pregnancy termination, or whether a person has been treated for a mental health condition or substance abuse.

The McGrathNicol survey – which included more than 500 business owners directors and executives who employ more than 50 people – found 69 per cent of companies have suffered a cyber attack in the past five years. This compares with 31 per cent in 2021.

Darren Hopkins, a partner at McGrathNicol, said the research found that many businesses are “overconfident in their abilities to respond to a ransomware attack, but the reality is that many are still very unprepared”.

Some 79 per cent of businesses choosing to pay a ransom.

“Many businesses are under pressure to pay and ‘keep the lights on’ rather than try their hand at negotiating with nefarious cyber-criminal groups,” Mr Hopkins said. “Given that almost a third of businesses are willing to pay more than $1m in ransom payments, and pay quickly, the research shows that business leaders are starting to treat the ransomware threat as they would any other business risk.”

Shane Bell, another McGrathNicol partner, said cyber security should be well established in businesses as it was not a new threat.

“Organisations really need to understand the current and evolving threat landscape. They need to make decisions about their own risk profile and risk appetite, and then use that information to build a program of continuous improvement geared towards building cyber into business-as-usual practices,” said Mr Bell, who like Mr Hopkins specialises in cyber security advisory.

Matt Boon, of technology advisory firm ADAPT, said Medibank was “being forced to tread a really fine line”, given the way its assurances that no customer data was stolen were up-ended.

“Transparency is necessary, but it shouldn’t come at the cost of even greater confusion for customers, so the timing of disclosure is vital,” Mr Boon said.

“An ideal response for a business suffering a breach involves quickly identifying the affected information, notifying relevant authorities and only communicating news of the breach once specific details are available to be shared with those impacted.

“That said, the scale and speed of certain breaches including this one, combined with government requirements for disclosure and public pressure for information, can make this best-practice response really difficult”.

Originally published as Business study indicates Medibank likely to pay hackers’ ransom to stop crime gang releasing customers’ health data