“I will go as far to say, in most cases, you will only contemplate the idea of ‘should we pay a ransom’ if you had tried to do a backup restoration … and that process has failed,” Mr Owen told a Cyber Summit on Monday.

That view was formed after having witnessed a number of attacks and having worked with companies who have suffered Australia’s largest breaches, including Medibankand Optus.

Speaking to The Australian after the summit, Mr Owen said data restoration and increased focus on third-party suppliers should be front of mind for most organisations.

Deloitte was increasingly advising its customers and running tests of back-up and restoration services, with many unaware they were sometimes not prepared or their contracts for restoration providers were outdated, he said.

Most Australian companies had contingency plans in place which saw their system back up and online in 24 to 48 hours following a major cyber incident.

“If you think about what turns one of these incidents into a crisis, as opposed to an event, it’s usually the amount of time that they’re offline for,” he said.

“Our advice to organisations would be if you pay a ransom to try and get your data returned, I think it’s a bit like the toothpaste has already left the tube in terms of whether you’re ever going to get said data back and whether you can get confidence that (the hacker is) going to subsequently release it.”

One increasingly important area on the subject of cyber ransoms was the pressure that secondary organisations played, especially when it came to business involved in critical supply chains, Mr Owen said.

Australian Securities and Investments Commission chair Joseph Longo, who also held a keynote at the summit, was adamant most organisations had not properly assessed the risk of third-party suppliers.

Mr Longo, quoting some early findings of ASIC’s cyber pulse survey, said most respondents had no ability to protect data handled by third-party suppliers.

“Although the results will be published later this year, initial findings make it clear that one of the weakest links in cyber preparedness is third party suppliers, vendors and managed service providers,” he said.

About 44 per cent of respondents “indicated that they did not manage third party or supply chain risk and more than half had limited or no capability to protect confidential information adequately”, he said.

Mr Longo also told the summit that ASIC would increasingly be targeting directors who had not done enough to protect themselves from cyber incidents.

“The days are long gone where directors of any company or any business can say, ‘well, I don’t really understand that technology’,” he said. “That’s just simply not acceptable. I think if you’re a director of a company, then you’ve got to understand the company’s business.”

Directors in 2023 who failed to understand the technology systems of their companies were likely not complying with their duties. “That means understanding the systems process technology providers and the data management,” Mr Long said. “All of that is fundamental to the viability of most businesses so if you can’t demonstrate that, then you’re probably getting close to not complying with your director’s duties.

Mr Longo added: “If you’re not evaluating your third party risk, you’re deceiving yourself.”

More Coverage

Dymocks attack: 1.2 million customer records hit dark web

Joseph Lam

Meet the gurus hanging out on the dark web

Joseph Lam

Originally published as Companies only consider cyber ransom when data restoration fails