Small businesses are not confident in their ability to respond to cyber-attacks, new research suggests, prompting experts to urge them to consider cyber insurance.
Only one in five small business owners and employees are confident in their ability to prepare for (23%), fight (21%) and recover (21%) from a cyberthreat, according to a survey of more than 2000 small business owners and employees by the Council of Small Business Organisations Australia’s Cyber Wardens program (COSBOA).
“Cybercriminals often go by scaled, repeated attacks making small businesses likely targets,” says SME insurance expert Jane Mason.
“A solid cyber response plan involves two parts: firstly, small business owners need to implement best-practice cybersecurity to prevent an attack. And secondly, they need a plan in place to manage a data breach if it occurs.”
Evidence suggests small businesses are failing on both fronts.
Nearly half of all SMEs spend less than $500 on cybersecurity and have an ‘average’ or ‘below average’ understanding of cybersecurity practices.
Just as crucially, only 20% of SMEs currently have cyber insurance, compared with 35%-70% for larger organisations.
“Small businesses often lack dedicated IT staff, fail to identify the weaknesses in their systems, and underestimate the risk. So, the ability to understand and protect against the risk of cybercrime isn’t there,” says Mason.
“Many will also not have the financial backing of an insurer to investigate the attack and help get them back online nor will they have the support to cover the legal fees and fines.”
Jane Mason, Head of Product, Channels & Risk
Whose responsibility is cybersecurity?
A point of difference among small business owners and employees is the view of who is ultimately responsible for cyber security.
The COSBOA survey found over one-quarter of Gen Z (born between 1997-2010) consider cyber security as something that is best left to IT experts, while older generations – and overwhelmingly Boomers (92%) – say that it’s a challenge for all employees.
This is despite Gen Z experiencing a similar volume of personal cyber security incidents as Millennials and Gen Xers.
While it is usually up to IT experts to set the parameters of a business’ cybersecurity and monitor for any weaknesses, generally, every employee has a part to play in being cybersafe.
Both the Optus and Medibank attacks, which released the information of millions of Australians last year, largely came down to a lack of care and human error.
Optus left an application programming interface (API) – which is essentially a gateway to information – open online, allowing hackers to access sensitive customer data.
The Medibank attack, which released sensitive medical records of thousands of people, occurred simply because one single desk support worker didn’t have multi-factor identification.
“Approximately 95% of cybersecurity incidents occur through human error, and while people make mistakes, that number is simply too high,” says Mason.
“Small business owners only need to point to these examples to explain the impact a simple mistake can have on a business and why it’s important that every employee remains hypervigilant about cybersecurity.”
A silver lining to the recent focus on data breaches is COSBOA’s new Cyber Wardens program launching later this year, which aims to increase the confidence of small business owners when it comes to cybersecurity.
Sponsored by Commonwealth Bank (CBA) and Telstra, the Cyber Wardens program is designed to give crucial cyber skills certification for small business owners to prevent cyber risks from occurring.
“I commend this initiative, which is the first of its kind in Australia,” says Mason.
Who might need to consider getting cyber insurance?
Although reducing the likelihood of an attack is important, Mason says sometimes risk prevention is not enough, and businesses need a safeguard in place for when things go wrong.
While not for everyone, cyber insurance can provide significant support for many small business owners in tough times.
So, who might consider getting cyber insurance?
Mason says sole traders are especially vulnerable to the cyber risks they face because they have a lot of skin in the game.
There is no legal distinction between the business and the business owner under a sole proprietorship, meaning that the sole trader’s private assets can be tied into liability claims.
“For any risk, business owners need to ask themselves, ‘could I stay afloat by myself if this risk were to happen?’ If the answer is no, then you might want to consider if there is an insurance product that can protect you from that risk,” says Mason.
“So firstly, are you at risk of cybercrime? If your business uses PoS devices, emails or has online systems (it doesn’t need to be a website) to manage business or you handle important data that could be compromised (that could either be personal data related to your customers or even your IP), then the answer is likely to be yes.”
The next question, Mason says at-risk business owners could ask is, can I deal with the consequences of a cyber-attack?
Not only would businesses need to deal with the cost of recovering the data and investigating the attack, but they would likely need to account for business interruption costs and the expense of bolstering cyber defenses.
For some businesses there may be the cost of dealing with the PR fallout and the potential of being liable for fines and legal costs associated with the victims of the attack.
“If you don’t think your sole trader business can handle these situations, then you may want to consider getting Cyber Liability insurance on top of your current insurance.”
This information is general only and does not take into account your objectives, financial situation or needs. It should not be relied upon as advice. As with any insurance, cover will be subject to the terms, conditions and exclusions contained in the policy wording. © 2023 BizCover Pty Limited, all rights reserved. ABN 68 127 707 975; AFSL 501769