Small businesses in Australia fall well short of security standards in some critical areas, a Q4 2023 Australian Securities and Investments Commission (ASIC) survey has found. While all the businesses surveyed achieved an average of less than half the possible score on maturity of cyber risk management, its small businesses (25 or less employees) that report serious gaps in their cyber security.

The Spotlight on cyber: Findings and insights from the cyber pulse survey 2023 analysed responses from just under 700 participants with representation across different business sizes, types, and sectors.

The survey was designed to assess cyber strengths and weaknesses in these critical areas:

  • governance and risk management
  • identifying information assets, protecting information assets
  • detecting cyber security events
  • responding to cyber security incidents
  • recovering from cyber security incidents.

Key findings from the Q4 2023 ASIC cyber security survey

The results strongly suggest that in the event of a cyber breach most Australian businesses are reactive rather than proactive when it comes to managing their cyber security.

Overall the perceived top threats were:

  • phishing 26%
  • ransomware 17%
  • business email compromise 17%.

Businesses are doing well at:

  • identity and access management
  • government and risk management
  • information asset management.

Where small businesses are failing at cyber security

What the survey responses show is that medium sized and large organisations consistently self-rated more mature cyber capabilities than small organisations.

Small organisations lagged behind in:

  • supply chain risk management
  • data security
  • consequence management.

These security gaps make them vulnerable to cyber attacks, which typically infiltrate business systems, installing malicious software, deploying ransomware, rendering systems unavailable and stealing confidential information.

Cyber criminals often do this by exploiting known, unpatched vulnerabilities to gain remote access or tricking employees (through phishing or other means) into opening an attachment containing a macro that installs malicious software, allowing an attacker to access the business system.

Some critical gaps in small businesses' cyber security revealed by the survey

34% of small business respondents do not follow or benchmark against any cyber security standard.

Cyber security standards and frameworks help businesses take a comprehensive approach to:

  • identifying and managing cyber risk
  • protecting confidential information
  • mitigating and managing cyber threats
  • investing in cyber security.

An organisation should adopt and implement a cyber security standard that is proportionate to the function, size and complexity of the organisation.

Implementing a cyber security standard begins with a cyber risk assessment and identification of gaps in cyber risk management.

44% do not perform risk assessments of third parties and vendors.

Third parties can be vendors, suppliers, partners, contractors or service providers with access to your business systems, which can provide threat actors an entry point so cyber security measures need to include these relationships.

33% have no or limited capability in using multifactor authentication.

Most people are familiar with user name and password verification of identity and this type of multifactor authentication should be applied to your business systems — and access to specific areas given only to those whose roles justify it.

41% do not patch applications.

Since outdated software applications are a vulnerability, it's essential to apply patch updates as soon as they become available.

Better practices for ensuring adequate patching include:

  • developing a documented patch management policy that outlines roles, responsibilities and procedures for applying patches
  • prioritising and applying security patches, especially for systems and applications that handle confidential information
  • patch testing to ensure they do not disrupt critical business processes or introduce new issues
  • considering automated patch management solutions to streamline the patching process
  • continuously monitoring for new patches.

45% do not perform vulnerability scans.

To stay on top of potential entry points for cyber criminals businesses are advised to:

  • use automated vulnerability scanning tools to regularly scan networks, systems and applications for vulnerabilities
  • prioritising vulnerabilities based on severity and potential impact
  • establishing a process for identifying, assessing, remediating and tracking vulnerabilities
  • coordinating vulnerability scans with a patch management process
  • maintaining records of vulnerability scans, assessment results and actions for auditing and compliance purposes.

30% do not have backups in place.

It only takes a few minutes to conduct daily backups of critical data and isolate the backups in a safe location separate from your network.

How small businesses can immediately boost their cyber security

For small businesses not in the position to outsource their cyber security to IT professionals, there are some easy to achieve measures you can take that provide basic protections, starting with the Australian Centre for Cyber Security's Essential Eight1. In addition to the Essential Eight strategies, small businesses could also consider:

  • educating employees about cyber security best practices
  • developing a cyber incident response plan and enforcing cyber security policies and procedures
  • conducting regular security assessments and vulnerability scans
  • assessing the cyber security practices of third-party vendors implementing thorough background and reference checks when hiring
  • implementing robust monitoring and logging solutions to detect and respond to suspicious activities on networks.

For more information and resources to help small organisations enhance their cyber security, visit the small business section2 of the ASD's ACSC website.

How Gallagher can help

As most business liability policies exclude cover for Cyber Liability, small business owners should consider a separate cyber insurance policy that covers your risk exposures and includes costs such as business interruption, legal expenses and data recovery.

In addition to cyber insurance protection and advice, Gallagher offers expertise, advice and resources for building business resilience to withstand cyber security incidents.



1 Australian Centre for Cyber Security's Essential Eight , Australian Government, Australian Signals Directorate, 27 Nov 2023.

2 Small Business Cyber Security , Australian Government, Australian Signals Directorate.


Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312