Hidden Costs Of Ransomware: ANZ Businesses Admit To Paying Despite ‘No Payment’ Policies

Ransomware is revealing the fragility of policy over panic. New research released today by Commvault has exposed how many Australian and New Zealand organisations are abandoning their official stances when confronted with real-world ransomware attacks.

The report—based on responses from over 400 business and IT leaders across the region—found that while 54% of organisations had formal “no payment” policies in place, 15% of them still chose to pay the ransom when hit. That contradiction highlights how operational pressure and reputational fears often override cyber response plans in the heat of the moment.

In total, 70% of organisations reported experiencing a cyberattack in the past 12 months, with the overwhelming majority involving ransomware demands. Alarmingly, one in three companies lost access to all their data during the attack. Only 32% were able to recover 100% of their data.

“The fact that some companies are willing to pay, despite the risks and the policy, is a sign that they feel they don’t have a viable alternative,” said Gareth Russell, Field CTO for Asia Pacific at Commvault. “That’s not resilience—that’s desperation.”

The report highlights the role of inadequate preparation and testing. Although 70% of respondents said they had an incident response plan, only 30% test it thoroughly across all mission-critical workloads. The result? Severe blind spots that only become obvious after it’s too late.

Ransomware payment is not just a moral and legal concern—it has long-term operational and compliance implications. Cybercriminals who receive payment are more likely to target the same organisation again, and paying may not guarantee full data restoration. The Commvault report urges organisations to shift from reactive playbooks to proactive investment in backup, testing, and cyber resilience planning.

“True resilience doesn’t begin at the point of attack—it’s built long before,” Russell added.

© Scoop Media