Cyber attacks affect all businesses, not just the big ones

Big or small, all businesses need invest in cyber security. As the costs, frequency, and sophistication of cyber incidents continue to grow, so should our ongoing policy and systems frameworks.

When we think of cyber attacks and data breaches, it’s natural to focus on the big ones. From Optus to Canva, Medibank to Australian National University, Federal Parliament, and state governments – these are what make the headlines.

But in a recent episode of The HR Leader, expert Simon Cohen, founder and managing director of Cohesis, said the conversation has come untethered from the realities of the cyber security landscape.

Victims big, medium, small

In raw numbers, medium-sized businesses are losing more to cyber attacks than large businesses, while the costs for small and medium-sized enterprises (SMEs) have been rising faster than those experienced by large businesses.

“I think that’s partly because SMEs think, ‘it’s not going to happen to me; I’m not one of the big guys,’” explained Mr Cohen. “People look at the big organisations and say, ‘well, at least we’re not that big.’”

When it does happen, though, the costs are monumental. As noted by the Australian Signals Directorate (ASD), when it comes to small businesses, even minor cyber incidents can have devastating impacts. In the 2021 to 2022 financial year, the average cost per cyber crime for small businesses reported to the Australian Cyber Security Centre (ACSC) was $39,000.

Cyber attacks are not just growing in frequency and severity; they’re increasingly sophisticated and, therefore, harder to protect against. As noted by TechBrain: “Cyber criminals are increasingly adapting their methods to exploit new vulnerabilities and maximise financial gain.”

“From ransomware attacks that lock businesses out of their own systems to sophisticated business email compromise schemes, the methods employed are becoming more intricate and damaging.”

Business email compromise

Business email compromise (BEC) events are a common and growing cyber threat facing SMEs. Initially a primitive form of cyber attack, BECs have evolved into one of the most devastating and most difficult threats to protect against.

On average, BEC incidents cost small businesses $45,965. Among medium-sized businesses, the average cost is $97,203, while only $71,598 for large businesses.

The vast majority of these incidents are carried out against SMEs. In fact, in 2021–2022, 92.6 per cent of these attacks were carried out against businesses with annual turnovers of less than $2 million.

“Cyber criminals are now employing more advanced social engineering techniques to impersonate senior executives or trusted partners, tricking employees into transferring funds or revealing sensitive information,” explained TechBrain.

“The financial impact of [BEC] incidents can be devastating, especially for SMEs with limited resources to recover from losses.”

Embedding security in operations

Mr Cohen said low levels of cyber awareness are, for SMEs, at the heart of the problem. The same training and resources relied upon by large businesses are simply not attained by smaller businesses. Given the costs of cyber security investments and the often thin operating margins of smaller businesses, these protections are often put in the “too hard box”, according to Mr Cohen.

SMEs often think, “‘We will worry about it later. I’m not sure what I’m getting or why I would spend money on X or Y’ ... therefore, that cost is not seen as an investment, as a protection of the business. It’s seen as a cost that I can live without until the point at which disaster strikes,” he said.

As cyber attacks become a bigger threat, so too does the cost of average insurance policies, meaning SMEs are having a harder time indemnifying themselves against the fallout. This was the subject of a recent HR Leader article.

Cyber security is not a one-and-done expenditure; it’s an ongoing process. What’s key, said Mr Cohen, is that SMEs find ways to be more proactive when it comes to identifying weaknesses in cyber infrastructure. The most effective way to achieve this is through ongoing “health checks” or security audits.

“If you don’t have health checks or you don’t have the right protections in place, at some point, something bad will happen,” said Mr Cohen. This is a challenge not just for SMEs but also for businesses of all sizes.

For example, after Optus experienced its major cyber incident over a year ago, it made many public commitments to making the right changes and to putting these proactive checks in place, said Mr Cohen.

Within a matter of months, a similar incident occurred and, though it might be unrelated, said Mr Cohen, these things reoccur when the right kinds of governance policies aren’t put in place.

“When things go wrong [in cyber security], they go wrong in a big way,” he concluded.

For cyber security help, read ASD’s Small Business Cyber Security Guide here.

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Simon Cohen, click below: