Ransomware ‘69s’ Australia
20 Apr 2025ACN’s State of the Industry 2024 report states that “69 per cent of businesses have experienced a ransomware attack” (p. 21 and 27).
This is obviously an error – 1,837,468 Australian businesses were not hit by ransomware in 2024 or ever. Yet, this error is now ironically being repeated:
The Information Age writes “Of the 69 per cent of businesses hit by ransomware in the past five years, the ACN observed a staggering 84 per cent opted to pay the ransom” and “the average ransom payment climb to $1.35 million” omitting to think this would have cost the Australian economy upwards of 2 trillion dollars and no one noticed.
Tech Business News writes “69% of businesses hit by ransomware in 2024” failing to conclude that this would amount to 5034 ransomware incidents per day.
Marty McCarthy from LinkedIn writes “69% of businesses hit by ransomware last year”.
Jason Murrell writes “69% of Australian businesses hit by ransomware[.] 84% paid… average payment? $1.35M!”
This 69% statistic initially comes a 2024 survey by from Darren Hopkins’s team at McGrathNicol that states “69% of surveyed businesses have experienced a ransomware attack in the past five years”.
It’s not entirely clear how many unique businesses were surveyed, but we do know that McGrathNicol engaged “YouGov to survey over 500 Australian business owners, partners, directors and C-Suite leaders of businesses with more than 50 employees.”
The survey results contradicts all the citations: it’s not all businesses; it’s businesses with more than 50 employees and the timeframe is ‘in the past five years’ not just 2024.
In fact, on page 19, the survey clarifies that it is only “representative of approximately 60,000 Australian medium and large businesses with 50+ employees.”
Speaking about the 69%, ACN Board Member Annie Haggar said “That’s not just a worrying statistic, it’s a signal that the current approach isn’t working. We still see fear, silence and legal risk driving decisions after incidents”.
Annie and Jason are right — silence is a risk. But the real question is: which silence should the cybersecurity community break?
The film V for Vendetta comes to mind. In a pivotal scene, V hijacks every screen in London to say what everyone already knows: something is deeply wrong in society. But will people act on that knowledge? Or will they remain passive — preferring the illusion of order over the price of truth?
Like V, I want to confront you with uncomfortable truths in our industry:
Privately, many professionals express concerns about some of the government initiatives and the authority figures attaching themselves to them. Funding has gone to questionable places, through questionable means.
Every day, cyber risks are mismanaged — often buried by executives seeking to avoid accountability, because real solutions are complex, expensive, and threatening to their business models.
And perhaps deeper still: no one truly wants true cybersecurity. They want the appearance of it — just enough to say they’ve “done it.”
Even governments, if we’re honest, face limits. To truly regulate and enforce meaningful cybersecurity would raise costs and reduce competitiveness. So instead, the system allows risk to be quietly externalized — deferred into the future and pushed onto society at large.
In V for Vendetta, the people don’t rebel. They wait. Even at the end, they gather silently, and passively wait for V to blow up Parliament — but it’s not V who sends in the bombs. It’s Evey Hammond, a normal person who lived most of her life afraid of the Symbolic Order (culture, rules, norms, laws, hierarchy, institutions, economic models) until she wasn’t anymore.
In your story, you’re not V. You’re Evey. You must be the one to proverbially ‘blow up Parliament’.
The only question is: what part of the system will you break the silence on? Or will you choose to remain in the audience — watching, nodding, and doing nothing?