Skip to content Skip to footer



Loading Results

GSISS 2018: Cyber security spotlight on small business

Key takeaways

  • Cyber attacks cost Australia more than AU$1 billion a year, and are continuing to rise.
  • Often large companies are compromised through their SME contractors, leading to a growing concern among this cohort for the need for stronger cyber security.
  • Larger companies are scrutinising their partnerships as their share prices and profitability are at stake.

A number of high profile cyber breaches have driven home the need for stronger cyber security capabilities across a broader spectrum of Australian business.

Small-to-medium enterprises in particular are becoming more aware of their vulnerabilities when it comes to data protection. Additionally, the exponential rise of cyber crime, including the increasing availability of ever more sophisticated cyber crime tools to anyone with an internet connection is leading to major breaches of sensitive information through the exploitation of smaller firms, which have historically typically under-invested in cyber security.

Cyber crime on the rise

The threat in Australia continues to rise. This month the federal government estimated that cyber attacks cost the nation more than AU$1 billion annually, and warned that attacks such as the WannaCry ransomware that crippled organisations worldwide last year, including Britain’s National Health Service, were likely to become commonplace.1

But the SME sector is quickly catching up. This is evident in the Australian response to the Global State of Information Security Survey 2018 which highlights a growing awareness among this cohort. According to the report, 33.7% of local respondents classified themselves as within the $25 million to $499 million a year turnover group, rising from 25.8% last year.

High profile cases

Still, these groups know they must act to avoid exposing the companies they support to a catastrophic breach, as evidenced through some high-profile recent cases.

Last year it was revealed that a hacker, codenamed Alf, was responsible for stealing 30 gigabytes of non-classified data on the Australian Defence Force’s AU$17 billion Joint Strike Fighter program and AU$4 billion surveillance plan projects as well as information on its warship and submarine fleet. It quietly obtained this information over a number of months in 2016 through a small ‘mum-and-dad’ type contractor.2

Italian bank UniCredit also disclosed last year that it had fallen victim in a similar circumstance over the course of several months in in 2016 and 2017 when hackers accessed around 400,000 of its clients accounts and stole personal data, through one of its third party contractors.3

Incidents such as these can not only place sensitive data in the wrong hands but can lead to a loss of consumer trust in a brand. Indeed, recent research points to the fact that as many as 74% of customers will move to a competitor in the event of a breach.4 This is placing pressure on larger organisations to scrutinise the security measures of their third-party contractors, and as such, those smaller businesses must place cyber security higher on their priority list, particularly if they wish to engage with big business.

Profitability at stake

The consequences of a cyber attack can be catastrophic for a company’s profitability and viability. In 2017, the breach of US credit reporting firm Equifax, where 147 million customer records were compromised, resulted in the loss of 18% of its share value once it was disclosed to the market. In March Equifax estimated its costs related to the attack had hit US$275 million.5

The Petya attacks last year, similarly, caused some multinational corporations to revise their sales forecasts to account for the financial disruption from their data breaches.6

It’s therefore important that cyber security measures are assessed, and tightened on a regular basis. In February the Notifiable Data Breaches scheme came into effect in Australia, and companies are now required to disclose a breach where it is likely to cause harm to those whose data is compromised.

The added layer of transparency, as well as ongoing high-profile, costly cases of cyber attacks, and the resulting scrutiny means companies, more than ever, need to ensure that their cyber capabilities are up to date, and constantly revisited. To omit this from the firm’s top priority list exposes a company to consequences such as the disruption of operations, the loss of sensitive data, and even, threat to life. Is it worth the risk?

View the full results of the Australian response to the Global State of Information Security Survey 2018.