Last financial year in Australia, a cybercrime was reported every six minutes, and the average cost of cybercrime per report was up 14% on the previous year – $46,000 for a small business, $97,200 for a medium-sized business, and $71,600 for a large business.^[1]

The scale of the threat to businesses globally is enormous – after all, almost every business today uses the internet in some way, shape or form, and is therefore vulnerable to attacks and scams. The likelihood of that attack or scam being successful, of course, depends on how well your business – people and systems – are set up to prevent it.

The annual Vero SME Index 2024 showed that 67% of businesses surveyed thought it was likely their business could be impacted by a cyber attack, and 80% of businesses believed they were prepared to handle a cyber attack.^[2] The second statistic there feels overly optimistic, given the volume and sophistication of attacks, and the fact that only 20% of SMEs in Australia have cyber insurance.^[3] It’s not surprising, though – cyber is an intangible threat. We can’t see it, and because of that it often doesn’t seem ‘real’ – that is, until it’s too late.

Common cyber tactics targeting SMEs

There are a number of cyber threats currently targeting SMEs in Australia, with email compromise (containing malicious links, attachments or malware), business email compromise (BEC) fraud (personalised emails targeting a specific individual designed to con you into sending money or business data) and online banking fraud (a cybercriminal gaining access to your online bank and transferring money out) all incredibly common.

These aren’t particularly new threats for businesses. However, the sophistication is continually increasing, and it’s a good reminder of the need for regular education, reminders and spot testing to keep people on guard. After all, human error is still the number one reason that cyber-attacks succeed.

New threats are here, however, and businesses need to be ready. Deepfake technology is something we’ve all likely read about, and earlier this year it was used to con a Hong Kong-based multinational out of US$25m, thanks to a deepfake video conference call that faked the company’s chief financial officer instructing an employee to transfer the money.

Another increasing challenge for businesses is that of ‘insider threats’ – cybercrime originating from inside the business, either from a current or former disgruntled or compromised employee, or a third party with legitimate access to your systems.

When surveyed, 74% of businesses reported that insider threat cases were more common in 2023 than the previous year, underlining just how important it is to be aware of the people in your organisation.^[4]

Insider threats fall into two categories – malicious and unintentional (or negligent) – and while the unintentional can be tackled with education, the malicious is more challenging.

HR – or people and culture – has a key role to play in identifying people who may hold enough of a grudge to sabotage your business, or be vulnerable to accepting money to give cybercriminals access.

Regardless, it’s important for businesses to understand the threats to your cyber security could be a lot closer to home than you think.

The location of cybercriminals

Speaking of the locations of cybercriminals, a new world-first report, which was a joint study between UNSW and the University of Oxford in England, has revealed exactly where cybercrime originates from, and the countries that are posing the biggest threat to our cyber safety.

The World Cybercrime Index, which was published in April, ranks the globe’s key cybercrime hotspots – with six countries responsible for the majority of the world’s cybercrime.

Russia, Ukraine, China, USA, Nigeria and Romania are the countries of origin for the biggest cybercrime threats, and the report states it’s provided authorities with strong information about the scale of the problem in their own jurisdiction.

For the record, Australia was ranked in 34th place.

Taking steps to protect businesses from cybercrime

There are a whole host of things businesses should be doing to help reduce the risk of cybercrime impacting them, including monitoring access (watch out for access at unusual times of day and from uncommon locations), implementing multi-factor authentication for every employee, and restricting access to the bare minimum necessary. Regular education, and an ongoing monitoring of employees for potential insider threats are also essential.

Cyber insurance can protect your business from financial and reputational loss should all of that fail, however, the take up is still relatively low in Australia.

Cyber insurance is something of a different product to many other forms of insurance, in that many specialist insurers offer round-the-clock monitoring, meaning potential incidents can be avoided, or their impact can be limited, which can be invaluable.

If you don’t have specialist cyber cover, speak to your Gow-Gates broker, who can advise on the most appropriate approach for your business.

^[1] ASD Cyber Threat Report 2022-2023 | Cyber.gov.au

^[2] vero-sme-insurance-index-2024.pdf

^[3] New research finds gaps in Australian cyber insurance (aicd.com.au)

^[4] https://go1.gurucul.com/2023-Insider-Threat-Report