Ignorant of cybersecurity risk, breached small businesses are concealing the cost of recovery

Many Australian businesses are quietly absorbing the cost of cybersecurity attacks to keep them off of the radar, according to new reports that suggest even small and medium businesses are paying an average $276,323 to recover from a successful attack.

The figure, contained within Surviving the Rise of Cybercrime – an eBook launched this week by Mailguard founder Craig McDonald – reflects the considerable and growing cost of cybercrime in real terms for businesses that often find out too late just how exposed they are.

“A lot of businesses, especially small businesses, that are getting impacted don’t want to come forward because of the reputational risks that they suffer as a result of the attack,” McDonald said at the book’s launch in Canberra this week. The high-level audience included Dan Tehan, the minister assisting the prime minister on cyber security, who said during his speech that the book “hits the mark”; Alastair MacGibbon, special advisor to the prime minister on cyber security; and Craig Davies, CEO of the Australian Cyber Security Growth Network.

“These businesses are all cashflow driven,” McDonald continued, “and most of these crimes are impacting either on trying to get the systems back up and running, or maybe ransomware generated where they’ve been demanded money to put their systems back into play. And most SME businesses just don’t have that cash available to continue on – which is why 60 percent of SME businesses who have been affected by a hack are out of business in six months.”

Despite the escalating risks, most SMEs seem to be wilfully ignorant of their cybersecurity exposure. Conducted online earlier this month, a Manta survey of 1420 small business owners found that just 13 percent believe they are at risk of experiencing a data breach – just a few more than the 12 percent that have already been breached in the past.

These figures suggest that most small businesses are still ignorant of the security risks their business faces – a conclusion reinforced by the finding that only 69 percent of small businesses have controls in place to prevent hacks.

Yet even where they were in place, these controls were generally infrequently applied. Antivirus software, for example, was the most commonly used but was named by just 17 percent of respondent companies; firewalls (16 percent), regular vulnerability scans (12 percent), automated software updates (11 percent) and data encryption (10 percent) were among the other technologies named.

Given the low rates of utilisation of security tools and the high potential damages highlighted in McDonald’s book, small businesses may end up on the front line when data breach notification laws come into effect early next year. These laws will force visibility of the breaches that businesses are currently hiding – forcing some difficult conversations at the senior management level and, presumably, forcing a ramp-up of security investments as businesses get a rude awakening about their actual exposure.

Many of those businesses will be looking to government to provide guidance around cybersecurity, which has increased in profile since last year’s release of the Turnbull government’s Cyber Security Strategy. This strategy has spilled over to efforts to improve the coordination of cybersecurity responses – and, in so doing, minimise losses to cybersecurity attacks – through moves such as the recent appointment of Dr Maria Milosavljevic as the state’s government chief information security officer (GCISO).

Milosavljevic’s remit includes the prevention of what NSW minister for finance, services and property Victor Dominello called “one of the most high profile, borderless and rapidly evolving risks facing government”. Victoria has also prioritised cybersecurity, positioning the area as a priority for the state’s recently updated IT Strategy for the Victorian government, 2016 to 2020.