Hard to see how paying ransoms ever ends well: Telstra CEO

Image: Telstra

Telstra and its CEO Andy Penn have a policy to never pay ransom, with the chief saying at the National Press Club (NPC) on Thursday that it never ends well.

“I can certainly see in situations where businesses are tempted to do so. Their whole business livelihood could be at threat from a ransomware attack. But candidly, it’s hard to see how that is ever going to end well,” he told ZDNet.

“If you pay a ransom, obviously you’re sending a signal to criminals that that’s something that you’d be willing to do.”

Apart from inviting further attacks, Penn said there was no guarantee the other party was trustworthy and the best defence was having recent offline backups, good password management, and proper patching.

“Prevention, frankly, is much better than trying to solve it after the event, but certainly our policy position would be not to pay ransoms.”

Penn said during his speech that Telstra has helped 17 of its enterprise customers over the past year recover from ransomware attacks, and that a number of “very senior individuals who are customers of Telstra” were targeted by business email compromise (BEC) scams.

“Once the attack starts, it is very persistent,” Penn said on the BEC attacks.

On whether companies should be disclosing attacks, the CEO said a disinclination still existed not to disclose attacks, but he noted that some businesses have seen benefits from being transparent.

“Companies that are transparent in dealing with it, recognising it, and communicating with their customers are actually building more trust with their customers,” he said.

“Because one thing that I think we have to take into account is often what will happen is if an organisation is hacked, and data is stolen, the issue with that data, is that data is usually data that belongs to that company’s customers as opposed to necessarily itself — and it is those customers who are best able to understand the risks associated with that data being disclosed on the dark web, and so you need to communicate with those customers as quickly as possible.”

Although currently preferring a carrot to a stick on the issue of whether company directors should be held legally responsible for cyber breaches, Penn said a line did exist.

“Ultimately, in egregious situations, where the exposure to cyber risk is seriously potentially a threat to national security or it’s a threat to health or safety, or otherwise, and there has been complete sort of negligence towards ensuring that there are some basic cyber defences in place, then I think directors obviously have to be responsible,” he said.

“As they are in other situations, whether it’s in health and safety, or in doing business responsibly and acting in a fair and non-misleading way.”

Liberal MPs misunderstand how the free market operates for political gain

Penn saved some of his most stinging criticism on Thursday for calls that the company should boost its spending in regional Australia following the sale of 49% of its tower business.

At the time of the announcement in June, Telstra said it would be using AU$75 million from the sale to increase coverage in regional Australia and handing 50% of the net proceeds back to shareholders.

Speaking to the NPC, Penn said the deal was a way of raising capital, and generating returns for its shareholders, the majority of which are the nation’s superannuation funds. He then pointed to the company’s mobile coverage to rebut claims the company was not spending money in regional areas.

“Telstra invests more than anybody in regional and rural Australia — we’ve spent about AU$5 billion, literally, over the last three or four years. In fact, I announced a further AU$500 million in recent weeks investing in regional and rural Australia,” he said.

“Those members of Parliament, I think, are confusing their own government policy and their own obligations — which tells you we’re a private enterprise, we’re there to work with and to help and support investment, and we are investing very significantly. We invested overwhelmingly in the mobile blackspots program, more than the rest of the industry put together. We were the only major operator to support the Regional Connectivity Program.

“It is, unfortunately a fact that not every part of Australia will receive mobile coverage.”

Penn said while the landmass of Australia is around 7.8 million square kilometres, and the company’s network reaches 2.5 million square kilometres, it was a million square kilometres more than second-placed Optus.

“The bottom line is, we’re not going to be able to cover every square inch of Australia. That is a reality, and unfortunately those members of Parliament need to come to terms with that reality,” Penn said.

“The other point I should say as well, is that in certain electorates, we actually have plans in place to put towers in, but unfortunately those members have not been able to actually get their own local councils to approve the planning permits to get the job done.

“I have said this previously with a couple of these individuals, that they need to go and have a walk down the corridor of Parliament house and talk to their colleagues, not to Telstra.

In response, Penn was asked whether some Liberal members of Parliament did not understand how the free market worked.

“Either that or they choose not to, because it’s politically helpful for them to say the comments that they say,” Penn replied.

Related Coverage