A lack of laws to prevent businesses paying criminals eye-watering sums, a cybersecurity skills shortage and chronic under-investment in security have been named as oversights putting Australia at risk, amid calls for urgent reforms.

The warnings come after a week in which Channel 9 suffered one of the most disruptive online attacks in Australian history after criminals breached network security at its Sydney studios, preventing broadcasts and impacting the company’s newspaper production.

But Check Point cybersecurity evangelist Ashwin Ram said Australians should brace to see many more attacks on high-profile targets this year following “a massive increase in phishing” — fraudulent emails designed to trick employees.

Successful ransomware attacks surged by 57 per cent in the past six months, Check Point found, and had continued to rise at a rate of nine per cent each month.

Shadow Assistant Minister for Cybersecurity Tim Watts said ransomware had become one of the leading online threats in Australia over the past 18 months, with losses becoming “unsustainable” for small and large organisations.

A report by Emsisoft estimates ransomware cost Australian businesses $1.4 billion in 2019, including the cost of ransoms and lost business, while a new report from Palo Alto Networks found criminal demands has soared by 171 per cent over the past year, with the highest known ransom paid doubling to $13.1 million.

Mr Watts said legal reforms were urgently needed to discourage well-resourced criminal gangs from targeting Australian businesses, rather than just leaving it entirely up to the private sector.

Changes could include reforms to money-laundering laws, he said, as well as cryptocurrency exchanges that handle the ransoms, “aggressive” participation in international task forces, and new ways to prevent businesses paying criminals to retrieve their data.

“We need to look hard at regulating the payment of ransoms,” Mr Watts said.

“It’s worth exploring a model like the US sanctions regime where there’s a prima facie case against making payments. If a company feels it needs to, they would have to seek urgent approval.”

Mr Watts said ransomware gangs were not only targeting wealthy organisations but businesses in countries with the most accommodating laws.

“We need a comprehensive national strategy to make sure ransomware gangs know it’s not worth the hassle,” he said.

The reforms would follow the Government’s $1.67 billion 2020 Cyber Security Strategy, launched in August, and proposed changes to the Security of Critical Infrastructure Act to include “critical” companies and impose security obligations.

But Sophos global solutions engineer Aaron Bugal said many Australian businesses underestimated the task of securing their data, while others struggled to find staff for the job.

Almost two in three Australian companies reported difficulty recruiting candidates with necessary cybersecurity skills, according to a new Sophos survey, even though more than half suffered a data breach last year.

“The cyber skills shortage is exacerbating the problem,” Mr Bugal said.

“Sometimes companies give system and network administrators multiple security roles and in some small businesses it’s worse. You can’t expect CPAs to also be cybersecurity experts.”

Mr Bugal said changes in Australian organisations needed to happen “from the top down” to recognise the risks ransomware criminals posed before it was too late.

More Coverage

Aussie cyber attacks: What you need to know

Jennifer Dudley-Nicholson

Nine hacking ‘a wake-up call for Australia’

Jennifer Dudley-Nicholson