09 March 2023
The Australian Cyber Security Centre (ACSC) acknowledges that Australian small to medium enterprises (SMEs) operate in a different environment compared to larger enterprises, with 97% of Australian businesses having less than 20 staff1 (Australian Cyber Security Centre , 2022)Managing competing business priorities with fewer resources, Australian small businesses require specific advice to better defend themselves from ever present cyber security threats.
SMEs are particularly vulnerable to cyber-attacks, as they often have limited resources to dedicate to cyber security. A small business survey highlights that nearly half of the respondents spend less than $500 on cyber security per year .
Cyber threats pose a significant risk to small businesses, and investing in cyber security is crucial to protect their operations and reputation.
The cost of cyber security measures varies depending on the size and complexity of the business, but it is generally recommended that SMEs allocate a minimum of 5-10% of their IT budget to cyber security.
Cyber-attack on a SME can be significant, and it can be challenging for a small business to recover from the financial and reputational damage caused by a successful attack.
The cost of a cyber-attack to an SME can be significantly higher if sensitive data, such as financial or personal information, is stolen or lost, leading to regulatory fines or legal action from affected parties. Therefore, investing in effective cyber security measures is critical for SMEs to minimize the risk and potential cost of a cyber-attack
Supply chain attacks also continue to be an area of concern due to the extensive range of victims that can be reached through targeting a single service provider.
Ransomware, in particular, has become extremely harmful to businesses, contributing to financially motivated eCrimes globally. There is a general consensus that cybercrime has overtaken drug trafficking as the most lucrative crime globally.
The costs stemming from a cyberattack can vary tremendously, but are inarguably significant. The 2022 IBM Cost of a Data Breach Report noted that the average cost of a data breach was USD4.35million and for a ransomware attack (not including the cost of the ransom itself) was USD 4.54million. Costs associated with a cyber event include the direct expenses associated with the incident, such as remediation and recovery costs, legal fees, and lost productivity. It also includes the indirect costs such as reputational damage and loss of customer trust, which can be more challenging to quantify but can have a significant impact on the long-term success of the business.
Growing regulatory scrutiny: Regulators around the world continue to increase their focus on cyber security and data privacy. Locally, the Australian Government has announced an overhaul of Privacy legislation following high profile, significant data breaches in late 2022. The most notable change proposed for small businesses is the removal of the previous exemptions under the Privacy Act for SMEs with less than $3mil turnover, which would mean that they will be subject to the notification requirements of the Notifiable Data Breaches scheme following a privacy breach. However there is recognition that SMEs much have access to appropriate resources to assist these companies in complying.
Business email compromise, social engineering threats: Social engineering losses and associated instances of business email compromise remain a key loss area for SMEs. The most common scenario is interception of a supplier invoice by a threat actor to amend invoice bank details, or a threat actor impersonating a supplier to seek payment from a business. The emails of senior managers or owners may also be compromised, with emails being sent to finance departments requesting the transfer of funds to a new supplier or bank account. In all instances where a change is requested, this should always be followed up with separate verification to ensure that the request is legitimate.
Continued ransomware threat: Whilst the frequency of ransomware seems to have stabilised, the severity of this threat remains. It’s a common myth that only large companies are impacted by ransomware.
This form of cyber-attack can cripple IT systems, websites, customer data and payment systems. Ransomware poses a major operational risk to businesses of all sizes, industries and revenue. A ransomware attack would threaten the financial stability of a small business due to the loss of revenue, IT recovery costs, network remediation and cost of paying the ransom if the business chooses to do so.
Financial Impact: SMEs often have limited resources to invest in cyber security measures, making them more vulnerable to ransomware attacks. The cost of remediation, recovery, and lost productivity can be substantial for SMEs that are hit by ransomware, and many business struggle to absorb the financial impact of a ransomware attack and remain afloat.
Reputational Damage: Ransomware attacks can also damage the reputation and trust of an SME. Customers may lose faith in the business's ability to protect their personal and financial data, leading to lost sales and revenue. The public disclosure of a ransomware attack can also have a negative impact on the company's brand image and reputation.
Operational Impact: The operational impact of a ransomware attack can be severe, with critical business systems and data encrypted and made unavailable. SMEs may be unable to conduct business operations until the issue is resolved, leading to lost productivity and revenue.
In summary, the impact of a ransomware attack on an SME in Australia can be significant and far-reaching. SMEs need to take proactive measures to secure their IT infrastructure, educate their staff, and develop an incident response plan to minimize the risk of a ransomware attack and mitigate the impact if one does occur.
A cyber insurance policy can be an extremely valuable risk transfer tool for every business. Having cyber insurance cover can help protect your business’s reputation and finances and can help minimise any damage or disruption from the cyber-attack.
It has never been more critical for businesses to take proactive measures to help manage their cyber risk, including the implementation of cyber insurance cover. With a cyber insurance policy in place, access can also be made available to cyber security training modules and risk awareness videos as part of your business’ policy, helping your business and your team to identify and prevent cyber-attacks.
Cyber insurance can respond to claims made by victims of a ransomware attack. This includes:
*where it is legal for insurers to pay a ransom
Marsh is a leading cyber broker, and can provide our clients access to competitive rates and extensive insurance coverage. Please contact your Marsh broker for further information.
LCPA 23/097
Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983)(“Marsh”) arrange the insurance and is not the insurer. This publication contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire the product, refer to the specific policy wordings and/or Product Disclosure Statements available from Marsh on request. This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage.