Concept stock photograph depicting Cyber Security theme, Thursday, April 28, 2016. [Photo Credit: AAP Image/Dave Hunt]

Australian businesses are among the most likely to pay a ransom to retrieve or protect stolen information, with more than half admitting they have given money to online criminals.

The trend emerged despite mandatory ransomware payment reporting laws, and even though many companies considered themselves prepared to weather online attacks.

Cyber security firm Veeam released the findings from a global study on Thursday, which also found almost two in three Australian companies expected to be attacked online within the year.

The news comes one year after reporting ransomware payments became mandatory for firms with an annual turnover of more than $3 million or those handling critical infrastructure.

The report, called the Veeam Data Resilience Survey, canvassed more than 4200 business leaders in Australia, the UK, US, Germany, France and New Zealand about ransomware attacks.

Australian organisations proved most likely to pay a ransom, with 52 per cent admitting their organisation had met a criminals’ demands compared to the global average of 40 per cent.

Most Australian executives (62 per cent) also expected their business would be attacked or experience a data breach during 2026, and almost as many (61 per cent) said they would consider paying a ransom in future.

A number of factors made Australia a lucrative target for ransomware gangs, Veeam systems engineering head John Wood said, including a high prevalence of cyber insurance.

“Australia is getting hit harder and being more impacted than a lot of other places,” he told AAP.

“We are very advanced from a technology standpoint so… a larger target for threat actors to come after us and… we’re quite well insured.”

Despite the high number of ransomware attacks and pay-outs, most executives (81 per cent) said their company had a plan to protect its data in the case of the attack.

Many of these strategies were untested or tested under the wrong conditions, Mr Wood said, and business leaders to make decisions under duress during the 24 hours following an online attack.

“A lot of people do test (but) maybe they’re testing at 2pm on a Tuesday as opposed to 11.30pm on a Saturday and with three quarters of the team on holiday and one of the key decision-makers offline,” he said.

“There’s a big gap between those who have tested under real-life conditions versus those who have gone through an exercise and ticked a box.”

More organisations should spend time considering contingency plans, including who to contact in an emergency, he said, and consider deploying a negotiator in extreme circumstances to bid for smaller fees and more time.

Ransomware attacks represented 11 per cent of all incidents reported to the Australian Cyber Security Centre in the last financial year.