Skip to main content

What you need to know about cyber attacks on small-to-medium businesses?

09 March 2023

Emerging Cyber Threats on Australian SME

The Australian Cyber Security Centre (ACSC) acknowledges that Australian small to medium enterprises (SMEs) operate in a different environment compared to larger enterprises, with 97% of Australian businesses having less than 20 staff1 (Australian Cyber Security Centre , 2022)Managing competing business priorities with fewer resources, Australian small businesses require specific advice to better defend themselves from ever present cyber security threats. 

Impacts of Cyber Crime in Australia:
  • 1 report in every 10 min1 - The ACSC receives approximately 144 reports of cybercrime a day

  • $300 Million per year - According to their 2022 Threat Report2, the ACSC responded to 1,100 cyber security incidents between July 2021 and June 2022, an average of 21 cyber security incidents per week. Compared to the 2020–21 financial year, this is a decrease of 36%. This does not mean that the cyber security threat to Australian organisations has decreased, especially as the number of cybercrime reports has increased.

    The severity of cyber security incidents is increasing. Nearly 15 per cent of incidents in the 2021–22 financial year were categorised as C3 (C1 most severe, to C6 least severe), up from approximately 6 per cent in the previous financial year

  • On average, there is a cyber-attack every 10 minutes in Australia, with 43% of these attacks targeting SMEs. Education, healthcare and government are the most targeted area3.
The top five cyber threats facing Australian businesses during this period were:
  • Phishing attacks (39% of incidents) 
  • Ransomware (17% of incidents)
  • Malware (16% of incidents)
  • Cyber espionage (8% of incidents)
  • Vulnerabilities in web applications (6% of incidents)

What is the cost of cyber security measures to a SME? 

SMEs are particularly vulnerable to cyber-attacks, as they often have limited resources to dedicate to cyber security. A small business survey highlights that nearly half of the respondents spend less than $500 on cyber security per year .

Cyber threats pose a significant risk to small businesses, and investing in cyber security is crucial to protect their operations and reputation. 

The cost of cyber security measures varies depending on the size and complexity of the business, but it is generally recommended that SMEs allocate a minimum of 5-10% of their IT budget to cyber security.

What is the average cost of a cyber-attack to a SME?

Cyber-attack on a SME can be significant, and it can be challenging for a small business to recover from the financial and reputational damage caused by a successful attack.

The cost of a cyber-attack to an SME can be significantly higher if sensitive data, such as financial or personal information, is stolen or lost, leading to regulatory fines or legal action from affected parties. Therefore, investing in effective cyber security measures is critical for SMEs to minimize the risk and potential cost of a cyber-attack

Supply chain attacks also continue to be an area of concern due to the extensive range of victims that can be reached through targeting a single service provider.

Ransomware, in particular, has become extremely harmful to businesses, contributing to financially motivated eCrimes globally. There is a general consensus that cybercrime has overtaken drug trafficking as the most lucrative crime globally.  

The costs stemming from a cyberattack can vary tremendously, but are inarguably significant. The 2022 IBM Cost of a Data Breach Report noted that the average cost of a data breach was USD4.35million and for a ransomware attack (not including the cost of the ransom itself) was USD 4.54million. Costs associated with a cyber event include the direct expenses associated with the incident, such as remediation and recovery costs, legal fees, and lost productivity. It also includes the indirect costs such as reputational damage and loss of customer trust, which can be more challenging to quantify but can have a significant impact on the long-term success of the business.

What are the expected trends for 2023?

Growing regulatory scrutiny: Regulators around the world continue to increase their focus on cyber security and data privacy. Locally, the Australian Government has announced an overhaul of Privacy legislation following high profile, significant data breaches in late 2022. The most notable change proposed for small businesses is the removal of the previous exemptions under the Privacy Act for SMEs with less than $3mil turnover, which would mean that they will be subject to the notification requirements of the Notifiable Data Breaches scheme following a privacy breach. However there is recognition that SMEs much have access to appropriate resources to assist these companies in complying. 

Business email compromise, social engineering threats: Social engineering losses and associated instances of business email compromise remain a key loss area for SMEs. The most common scenario is interception of a supplier invoice by a threat actor to amend invoice bank details, or a threat actor impersonating a supplier to seek payment from a business. The emails of senior managers or owners may also be compromised, with emails being sent to finance departments requesting the transfer of funds to a new supplier or bank account. In all instances where a change is requested, this should always be followed up with separate verification to ensure that the request is legitimate.  

Continued ransomware threat: Whilst the frequency of ransomware seems to have stabilised, the severity of this threat remains. It’s a common myth that only large companies are impacted by ransomware.

This form of cyber-attack can cripple IT systems, websites, customer data and payment systems. Ransomware poses a major operational risk to businesses of all sizes, industries and revenue. A ransomware attack would threaten the financial stability of a small business due to the loss of revenue, IT recovery costs, network remediation and cost of paying the ransom if the business chooses to do so.

Financial Impact: SMEs often have limited resources to invest in cyber security measures, making them more vulnerable to ransomware attacks. The cost of remediation, recovery, and lost productivity can be substantial for SMEs that are hit by ransomware, and many business struggle to absorb the financial impact of a ransomware attack and remain afloat.

Reputational Damage: Ransomware attacks can also damage the reputation and trust of an SME. Customers may lose faith in the business's ability to protect their personal and financial data, leading to lost sales and revenue. The public disclosure of a ransomware attack can also have a negative impact on the company's brand image and reputation.

Operational Impact: The operational impact of a ransomware attack can be severe, with critical business systems and data encrypted and made unavailable. SMEs may be unable to conduct business operations until the issue is resolved, leading to lost productivity and revenue.

In summary, the impact of a ransomware attack on an SME in Australia can be significant and far-reaching. SMEs need to take proactive measures to secure their IT infrastructure, educate their staff, and develop an incident response plan to minimize the risk of a ransomware attack and mitigate the impact if one does occur.

Why is Cyber Insurance important to consider?

A cyber insurance policy can be an extremely valuable risk transfer tool for every business. Having cyber insurance cover can help protect your business’s reputation and finances and can help minimise any damage or disruption from the cyber-attack.

It has never been more critical for businesses to take proactive measures to help manage their cyber risk, including the implementation of cyber insurance cover. With a cyber insurance policy in place, access can also be made available to cyber security training modules and risk awareness videos as part of your business’ policy, helping your business and your team to identify and prevent cyber-attacks.

Cyber insurance can respond to claims made by victims of a ransomware attack. This includes:

  • Immediate 24/7 access to incident response services following an actual or suspected cyber event
  • Reimbursement of ransom payments* and access to specialist ransom negotiators
  • Loss of profit related to business interruption following a cyber-attack
  • Costs to repair and restore IT systems and data
  • Assistance in notifying impacted third parties following a privacy breach, as well as complying with Government reporting requirements

*where it is legal for insurers to pay a ransom

Request a quote for Cyber Insurance with Marsh 

Marsh is a leading cyber broker, and can provide our clients access to competitive rates and extensive insurance coverage. Please contact your Marsh broker for further information.

  1. Results from the Australian Cyber Security Centre Small Business Survey
  2. ACSC Annual Cyber Threat report 2020-21
  3. The Latest 2023 Cyber Crime Statistics

Need help?

If you have any questions about the content covered in this article or the risks and insurance coverage requirements for your business, reach out to your Marsh risk advisor today or contact us.

LCPA 23/097

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983)(“Marsh”) arrange the insurance and is not the insurer. This publication contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire the product, refer to the specific policy wordings and/or Product Disclosure Statements available from Marsh on request. This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage.