Law firm notes a 'complete change' in employers' approach towards ransoms
New Zealand businesses are growing more inclined to consider ransom payments to cyberattackers amid a shifting mindset among employers, a legal expert has told Radio New Zealand.
Jania Baigent, head of Simpson Grierson's cybersecurity and data disputes, said they had observed an attitude shift towards paying ransoms from cyberattacks over the past few years.
"At Simpson Grierson there has been a complete change in the way people talk about it. Three or four years ago many business owners wouldn't admit to even considering paying a ransom," Baigent told Radio New Zealand.
Baigent said the shift could be linked to a report by Australian Institute of Directors in 2024 that published guidance to boards on how to make decisions about whether to pay a ransom.
"To my mind this really legitimised the concept of paying a ransom and now ransoms are being paid more by smaller, medium businesses in particular even though it still remains a little bit of a dirty word on the street," she told RNZ.
A 2024 study by IT company Cloudflare on cybersecurity in Asia Pacific found ransomware was a growing concern across the region with 62% of organizations hit paid the ransom, even though 70% publicly said they would not.
Organisations in India were the most likely to pay ransom demands at 69%, followed by Hong Kong (67%) and Malaysia (50%), while New Zealand came in at 22%.
A report from cybersecurity experts Kordia last year also revealed that 70% of business leaders would consider paying a ransom to a cybercriminal.
And a year later, Kordia's report found that nine per cent of businesses targeted by financial extortion ended up paying a ransom.
According to Baigent, the decision depends on the situation the organisation is in and the assessment of risk factors involved.
Alastair Miller, Principal Security Consultant at Kordia-owned Aura Information Security, also previously noted that some organisations consider paying a ransom as the "easiest way" to deal with cyberattacks.
"The reality is that many New Zealand businesses are ill-prepared, or unable, to respond and recover from incoming attacks," Miller said in a statement earlier this year.
"Unfortunately, it's sometimes cheaper to pay a ransom or payment demand than fork out for the cost of operational and wider business disruptions that commonly result from these types of attacks, not to mention the expenses associated with recovery and rebuild."
But Miller warned that this is a "dangerous trend," stressing that paying a ransom not only incentivises cybercriminals to continue extorting other victims, but there is also no guarantee that paying will achieve the desired result.
"The good news is that New Zealand businesses are increasingly recognising that cyber security isn't an 'IT problem,' it's both a strategic business enabler and an enterprise-wide risk management issue," he said.
