Home / Analysis / Heads in the sand: SMEs take cyber gamble
14 October 2019
It’s routinely flagged as one of the top business threats across the globe, but many Australian SMEs think they’ve got cyber risk covered. The trouble is they almost certainly haven’t.
A new survey from Chubb shows ostrich syndrome is in full effect as small business owners and managers display a confidence that’s clearly at odds with reality.
The insurer’s second annual SME cyber preparedness report draws worrying conclusions about levels of ignorance and the possible consequences.
Almost half of respondents (47%) are not aware of their regulatory obligations under the Notifiable Data Breaches (NDB) scheme.
This is hard to believe. Those failing to comply with the rules, introduced with fanfare more than a year ago, face significant financial penalties.
“Do SMEs think they are above the law?” Chubb’s Cyber Underwriting Manager Asia Pacific Andrew Taylor asks.
While larger companies seem to understand their obligations, Mr Taylor says SMEs are less clear.
“The report found that many SMEs do not understand precisely what type of data breaches require notification,” he says.
“This is a huge cause for concern. A cyber incident can be catastrophic for a smaller organisation, and this lack of understanding around reporting obligations raises the stakes further.
“While the NDB scheme is receiving more notifications, it is highly likely that many more breaches have gone – and continue to go – unreported.”
Chubb says SME leaders’ misplaced confidence has risen since the previous survey, even as cyber warnings intensify.
Almost one in three (32%) senior leaders expect their business to be immune from attack, 49% of SMEs have no data breach response plan in place, just 43% invest in cyber training for staff, and only 27% have cyber insurance.
Only 33% of respondents thought a cyber incident would have a significant impact on reputation, with 40% believing it would affect revenue and/or sales.
Perhaps most disturbing of all, 79% of SMEs are confident they can overcome a breach by sophisticated hackers within 24 hours.
As insuranceNEWS.com.au has previously reported, national brokerage Insurance House took a month to fully recover from a ransomware attack earlier this year.
The delay occurred despite Insurance House losing no data, and having disaster recovery plans, back-up environments and cyber insurance in place.
Chubb’s Cyber and Technology Industry Practice Manager Australia and New Zealand John DePeters says the insurance industry must work together to improve client understanding.
“There is a collective opportunity for the insurance industry to help clients tackle this and brokers are very keen to help,” he told insuranceNEWS.com.au.
Mr DePeters says there may be a case of “breach fatigue”, where SME leaders read almost constant reports of large business breaches but think it won’t happen to them.
“There is a perception that this is a large business exposure, but actually small- to mid-sized businesses are the low-hanging fruit and [are] more vulnerable.
“The reality is it takes a really strong incident response, and we have seen many cases where the recovery runs into weeks and months.”
The NDB scheme received 967 breach notifications for the 12 months from July 1 last year.
The Office of the Australian Information Commissioner confirmed to insuranceNEWS.com.au that as yet there have been no financial penalties issued for failing to comply with the scheme.
The Chubb report says the most common incidents faced by SMEs in the past 12 months were phishing compromises (21%), data loss (15%) and business interruption as a result of system malfunctions or technical faults (13%).
Mr DePeters urges Australian SMEs to “review their preparations closely”.
“In the coming years, the global economic cost of cyber risk is forecast to increase substantially,” he said.
“With SMEs making up 96% of all businesses in Australia, they will be hardest hit.”