The cost of a cyber security breach for a small business is increasing. In the 2021‒2022 financial year the average cost per cyber crime reported to the Australian Cyber Security Centre (ACSC) rose to over $39,000 for small businesses. For medium sized businesses the estimate was more than double: $88,000 — and that's without factoring in downtime, reputational damage, data loss and the need to redo work.

Without substantial budgets to improve cyber security tech, what can small to medium sized businesses do to improve cyber security?

To help small to medium sized businesses defend themselves against common cyber threats the ACSC provides essential and practical information in the Small Business Security Guide1. This includes 15 simple and inexpensive measures businesses can adopt right now to improve their cyber safety and security.

15 simple tips for improving SME cyber safety and security

Secure your business systems accounts

  1. Start by securing your business system's accounts by turning on multifactor authentication (user name plus password) or requiring a second form of identification such as using a code sent to your phone. This adds an extra layer of security.
  2. Always use strong and unique passwords or, even better, pass phrases of four or more random words. These are more unpredictable than a simple password. Have trouble remembering? Try using a password manager that stores and generates unique passwords for each account. These services are available online.
  3. Shared accounts can be a convenient way to collaborate but they also pose a security risk. When multiple staff are using the same account it can be hard to track activity back to a specific employee and even harder to track cyber criminals breaking in, so avoid shared accounts wherever possible and create individual accounts instead.
  4. Access controls are also essential to maintaining visibility over systems security. Limit employee access to sensitive data and systems and allow only the access they need to perform their jobs.

Protect systems and information from cyber threats

  1. Keeping your software up to date is another protection that's easy to achieve. Make sure your staff regularly update all software and applications to the latest versions and apply patches as they become available. This reduces the chances of a cyber criminal using known vulnerabilities and weaknesses to run malware or hack your devices.
  2. Backing up your information/data is crucial if you do sustain a cyber attack, and gives you greater ability to recover from a ransomware attack or other disaster that results in data loss. Make sure you regularly back up all important data and store your backups in a secure location.
  3. Security software, such as antivirus and ransomware protection, is another key action in protecting your business. Having well-regarded security software or antivirus protection running on all your devices helps prevent malware and other cyber threats from infecting your systems.

Network security measures

  1. Secure your network, including servers and routers, as well as your servers. Start by using a strong pass phrase or multifactor authentication, but it's also worth asking an IT professional for more advice. You may want to consider migrating to online or secure cloud services that offer built-in security instead of managing your own.
  2. Secure your website by regularly updating your content management system and plugins, use multifactor authentication or a strong password for your website's logon and back up your website regularly to keep it protected against potential vulnerabilities.

Protect your business's data

  1. Reset devices when upgrading when you're getting rid of old devices make sure you wipe them clean of all data first to prevent sensitive information falling into the wrong hands.
  2. Keep devices locked and secure as your business data is one of your most valuable assets. When you're not using your devices, prevent unauthorised access to your data by ensuring they are locked with a pass phrase, biometric or a PIN, with automatic settings to switch this on.
  3. Store your business data in a central location that is secure, and regularly back up data to prevent loss.

Be prepared for an attempted cyber attack

  1. Cyber education for business owners and employees: set aside time for cyber security training so your employees understand the importance of strong pass phases, software updates and data backups. Urge them to be vigilant always when opening emails, clicking links or downloading attachments.
  2. Make an emergency plan in case of a cyber attack or similar risk. Essentials to include: recovering data, restoring systems and communicating with staff and customers. Your employees also need to be familiar with the emergency plan and how to report an incident. Testing your emergency plan in a safe environment helps identify gaps or weaknesses.
  3. Stay informed: consider becoming an ACSC partner to receive the latest advice and timely insights from cyber experts. Report suspicious incidents to ACSC Report Cyber.

How Gallagher can help

Be aware that most business liability policies exclude cover for cyber liability. That's another reason why you should consider a separate cyber insurance policy that covers your risk exposures and includes costs such as business interruption, legal expenses and data recovery.

In addition to cyber insurance protection and advice Gallagher offers expertise, advice and resources for building business resilience to withstand cyber security incidents.

connect with us


1Small Business Cyber Security Guide, ASCS, 16 Jun 2023


Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312