Small Business, Big Target: The Rise of Cybercrime in Australia

Can your small business afford a $50,000 cybercrime incident?

That’s the confronting amount that small businesses lost on average across reported incidents to the Australian Signals Directorate (ASD) in the 2023-24 financial year, marking an 8% increase from the previous year. It is certainly an amount that will put a hole in the budget and cash flow forecast of most small businesses.

Cybercrime is no longer just a big business problem and is increasingly impacting small businesses across Australia, leading to significant financial losses and operational disruptions. It should be one of the key risks on your business risk register and is always front of mind when I discuss risk with my clients, as their outsourced CFO.

In this article, we will examine why small businesses are increasingly becoming targets for cybercriminals, what types of attacks are most common, and how you can protect your business from becoming the next victim.

The Alarming Rise of Cyber Threats to Australian Small Businesses

In the 2023–24 financial year, the Australian Signals Directorate (ASD) received over 87,000 cybercrime reports, marking a 13% increase from the previous year. This equates to one report every six minutes. It seems likely that many small business owners who were victim to a cybercrime attack would not report it to the ASD, making these numbers only the tip of a much bigger iceberg.

It is certainly the case that there has been much in the media about cybersecurity threats impacting large Australian corporations, and these businesses have spent millions upgrading and protecting themselves. That shifts the attention of criminals to the softer and much bigger target of the 2m Australian small businesses, many of which remain under-protected.

The financial toll of cyber incidents on small businesses is substantial. The report states that the average cost per cybercrime report for small businesses was $49,600. Beyond direct financial losses, breaches can lead to reputational damage, loss of customer trust, and potential legal ramifications. Each of these will have significant impact on the bottom line.

You can access the full report here - ASD Annual Cyber Threat Report 2023-2024

Australia’s Evolving Regulatory Landscape

Privacy Act 1998: Major Changes Ahead

Currently, most businesses with revenue of less than $3m, which includes almost 92% of businesses in Australia, are exempt from compliance with the Privacy Act 1988. The first tranche of changes to the act were made in 2024, with further changes expected in 2025 removing the small business exemption.

These changes will likely mean most small businesses will need to tighten their processes for managing and protecting personal information and customer data. Small businesses could also be on the wrong end of larger fines and legal action from parties impacted by a data breach.

Cyber Security Act 2024: Ransomware Reporting

In addition, under the Cyber Security Act 2024, which received Royal Assent on 29th November 2024, and other related legislation, rules have been tightened concerning the mandatory reporting of any ransomware payments made by businesses. This is currently limited to businesses with revenue of more than $3m but could foreseeably impact small businesses in the not-too-distant future.

Top 6 Cyber Threats Facing Small Businesses

Businesses can be vulnerable to several different types of cybercrime due to their complexity of systems and processes, and the varying levels of cyber awareness of their teams. Here are the most prevalent types:

1. Business Email Compromise (BEC): Attackers impersonate trusted contacts to deceive employees into transferring funds or revealing sensitive information. BEC remains the most reported cybercrime in Australia. BEC resulting in financial loss represented 13% of all cybercrime types reported to the ASD. This has been made so much easier for attackers since the rise of LinkedIn as a platform for all things jobs and careers. New hires are easy targets for an email or text, supposedly, from their new boss, asking to carry out some urgent request which always involves payment of some kind.

2. Online Banking Fraud: Request to change bank account details; unsolicited SMS or emails from financial institutions asking for passwords or an MFA code. This type of attack also represents about 13% of all cybercrime types reported to the ASD.

   
   

3. Phishing Attacks: Deceptive emails or messages trick recipients into clicking malicious links or providing confidential data. In a recent survey released by Netskope, Australian workers fall for phishing attacks at nearly double the global average, 5 per 1000 attempts compared to 2.9 globally. (https://www.netskope.com/netskope-threat-labs/threat-labs-report-november-australia-2024)

   
   

4. Ransomware: Malware encrypts a business's data, demanding payment for its release. Such attacks can cripple operations and result in significant data loss.

   
   

5. Malware and Viruses: Malicious software infiltrates systems, leading to data theft, system damage, or unauthorized access.

   
   

6. Deepfake Scams: Advanced technologies create realistic fake audio or video content, deceiving businesses into fraudulent transactions. Notably, a finance worker lost $37.3 million recently at a global finance firm in Hong Kong after being deceived by a deepfake video call with his boss.

Proven Strategies to Mitigate Cybercrime Risk

Hopefully, I have persuaded you that cybercrime is not just something for the big end of town to be worried about, and that it can, and probably will, impact your business at some point. Here are my top strategies for you to manage cybercrime risk in your business:

Hire an expert IT consultant

They will have a long list of great strategies to improve your security profile and are the experts most up to date with possible threats and solutions. This is one area where DIY is not advisable, the investment will be worth it. Areas of focus will include:

• Installing Security Software: Ensuring that best in class software in protecting your business, including anti-spyware, anti-virus, anti-spam and firewall protection.

• Implementing Multi-Factor Authentication (MFA): Adding an extra layer of security reduces the risk of unauthorized access.

• Software Updates: Ensuring all systems and applications are up to date to patch known vulnerabilities.

• Data Backups: Regularly backing up data to secure locations to mitigate the impact of potential data loss.

• Employee Training: Educating staff about recognizing and responding to cyber threats, especially phishing and BEC scams.

• Access Controls: Limiting system access based on roles to minimize potential internal threats.

• Develop a Cybersecurity Policy: Establish clear guidelines and response plans for potential cyber incidents.

Check your insurance coverage

Speak with your insurance broker about the level of coverage your business has for cybercrime and ensure that you are comfortable with the level of protection and any residual risk. It is likely that you will have to demonstrate you have strengthened your IT systems and processes, as described above, to get cost-effective cover.

Cyber insurance coverage can include so much more than just coverage for direct financial loss, including:

• Third party liability – legal costs and compensation to affected parties from a data breach

• Reputational damage – costs to respond to reputational harm caused by an incident

• Loss of income – related to system interruptions and ransomware attacks

• Data recovery – costs associated with restoring lost or corrupted data

Transferring risk to a third party, such as an insurance company, is a great risk mitigation strategy for cybercrime risk.

Engage with cybersecurity resources

Stay informed with what is happening in this fast-changing risk environment, particularly with threats that could impact your industry. Utilise resources like the Australian Cyber Security Centre's Small Business Cyber Security Guide for tailored advice. (Small business cybersecurity | Cyber.gov.au).

Being aware of emerging threats and protections will help you engage better with your external IT consultant and insurance broker to ensure that your business is fully protected.

Final Thoughts

The rise of cybercrime poses a significant threat to Australian small businesses, both financially and operationally. With an average financial loss of $50,000 for impacted small businesses, not including the cost of business disruption and reputational damage, this is a risk that you cannot ignore.

By understanding the prevalent threats and implementing proactive security measures, with the help of experts in this field, you can gain peace of mind knowing that you have done all you can to bolster your defences against cyber threats. Staying informed and vigilant is also key to safeguarding your business assets and maintaining customer trust in this increasingly risky digital world.