News & Insights

Cyber security weak points in SMEs – what you need to know

Published 07 July 2020

Small to medium-sized enterprises are estimated to account for 96% of all businesses in Australia and approximately 40% of all cyber crime targets. You wouldn’t gamble on these odds so you shouldn’t risk your business future by leaving yourself open to attack. Here are the 3 keys to understanding how you could become a cyber crime victim and what to do to avoid it.

Your most important risk exposures are your people, your management and your resources for responding to a cyber attack. Fortunately they are all within your ability to manage and control.

1. Your people

In a survey of more than 1000 Australian businesses of all sizes nearly half of employee respondents admitted they have put the organisations they work for at risk of online attacks through the following unsafe activities.


Opening an attachment or a link in an email from an unknown contact

Phishing is the name for email scams that trick the recipient into clicking on a link or attachment, asking them to provide or confirm their personal information, such as passwords and credit card numbers, or to pay a fake account. Recent research shows that one in 728 emails in Australia is a malicious email, as reported by My Business. In 2018 email scams cost local businesses more than $60 million in lost revenue and downtime, according to Scamwatch.

Downloading apps, software, videos or games without their employers’ permission or sharing viral emails from unknown sources
Malware can be hidden in any of these downloads or messages, giving cyber criminals access to the system and the information on the network, enabling everything from denial of service ransom demands to identity theft or draining your bank accounts.

What you need to do

  • Educate your staff about what red flags to look for in terms of unusual requests or demands for payment or provide information to help enable them to recognise a bogus message when they receive one. Document these precautions and make sure they are part of onboarding new hires. Reinforce this information by reminding your people regularly via clear messages going over what to beware of and how to respond. 
  • Ring-fence your sensitive business information (employee details or financial accounts, for example) by identifying exactly who needs access to what parts of your system. These people and these people only should be able to access those specific areas of your computer network, always via multi-factor logins (identification plus password or phrase). Always revoke this access when someone leaves the company.
  • Establish clear protocols around responding to emails with links or attachments, or requests for personal or financial information. Messages from unknown sources should never be actioned and ones purporting to be from a known source should be checked for legitimacy. Any request for sensitive or confidential information should be scrutinised closely.

2. Your management

Not actioning technical updates

Both business owners and their employees are guilty of this: simply overlooking or postponing responding to computer notifications and update notices on their computers, software, apps or devices. Regular computer updates are vital as they contain security features to guard against recent viruses and attacks. This process is also referred to as patching and it’s as easy as clicking on a button.

Not understanding how to protect yourself

Canvassing Australian small business owners reveals the vast majority (87%) think using antivirus software alone means they're safe from cyber attacks. Using anti-virus software is only one part of a cyber security program and can’t by itself guarantee protection. You should also back up the information stored in your systems to a separate storage device and disconnect it once this is done. This precaution will help you get up and running again much faster after an attack or outage.

Not having a cyber attack response plan

Indications are that less than half of Australian businesses have a data breach response plan. For small businesses that don’t have in-house IT expertise this is a recipe for disaster. If you don’t know how to react or defend your systems and information the damage you sustain will be more serious.

Not understanding your reporting obligations

A survey by Chubb Australia suggests that only half of Australian small to medium sized businesses are aware of their cyber reporting obligations. Failure to comply with requirements can attract hefty fines, and you may put others – your clients, customers and business partners – at risk.

What you need to do

  • You wouldn’t leave your premises unlocked. Follow basic systems security advice. The Australian Government Cyber Security Centre outlines 8 essential actions that every business should take to protect themselves. Outsource this to an IT professional if you’re not tech savvy yourself.
  • Have a response plan in place. The quicker you can identify and contain an attack the less damage it can potentially do. Not sure where to start? Download our handy cyber breach response plan template.
  • Understand your obligations and the consequences of failing to meet them. If you sustain a data breach, and that breach involves personal information of an individual and the breach is likely to result in serious harm to them then you are required to notify the affected individual and the Office of the Australian Information Commissioner (OAIC). Non-compliance can attract steep penalties of up to $1 million. The OAIC has published a guide to help organisations implement the requirements of the Notifiable Data Breach Scheme.

3. Your resources

You have nothing to fall back on if you do get hacked

Only a quarter of Australian small businesses are believed to have cyber risk insurance. Given that they represent 40%+ of local businesses that get attacked this leaves them wide open to the potentially substantial losses incurred if their systems are hacked: downtime, data loss and legal cases or fines.

You don’t understand the complexity involved

If you don’t understand the extent of how a cyber attack could damage your business it’s difficult for you to effectively protect yourself against either the immediate effects or wider fallout.

What you need to do

Having standalone cyber insurance means you can respond to a cyber attack quickly, calling in the professionals in the knowledge that the cost of their services, and the associated expenses involved in restoration, remediation and reputational damage limitation will be covered.

Could you identify all the exposures involved in identifying your risk exposures across all of your operations, computer network and devices? Obtaining a complete analysis and recommendations from a cyber insurance specialist who understands your business helps assure you of more complete protection if you are targeted by cyber criminals or your data is compromised through employee error.

Connect with an expertchevron-right


Further reading

Cyber insurance

Do I need cyber-liability insurance?


Additional information

Most SMEs severely underestimate cyber security vulnerabilities

SMEs ‘fail’ on cyber security

Cyber attacks worsening among Australian businesses, costing economy $1 billion a year

Scams cost Australians half a billion dollars

Essential Eight Explained

Notifiable data breaches

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient’s industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers’ control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312


Negotiating with a hacker in a ransomware attack on a business
Cyber | Article

Negotiating with a hacker in a ransomware attack on a business

07 July 2022
Legal penalty highlights businesses’ cyber security obligations
Cyber | Article

Legal penalty highlights businesses’ cyber security obligations

21 June 2022
Adapting your risk management protections to match evolving cyber cover
Cyber | Report

Adapting your risk management protections to match evolving cyber cover

31 May 2022