In 2023 the Australian Cyber Security Centre (ACSC) received reports of a cyber attack every seven minutes. Small businesses are not immune. In fact cyber criminals deliberately target small businesses because they know technology and security may be weaker. Fortunately every small business has the opportunity to put preventative measures in place, and there is plenty of support available from government cyber security online resources as well as the expertise of Gallagher cyber risk management specialists.

Cyber risks can damage businesses financially, operationally and from a reputation perspective. Imagine if you couldn't log on or access your scheduling for the day or month, or someone took over your identity and started stacking up bills in your name, or broke into your e-mail, impersonated you and started sending invoices out to your customers with a fake account embedded into those invoices. These scenarios are day-to-day realities, so it's critical that you understand your risk and address it in the most effective way you can.

Common cyber threats

Business e-mail compromise: hacked email credentials are used to scam money or goods
Data breaches: unauthorised leaking of personal or sensitive information
Hacking: infiltration of a business system by exploiting a software weakness
Identity theft: impersonation of you or your business to steal money or other benefits
Malware: malicious software such as 'Trojans', 'viruses' or 'worms' used to harm your system
Ransomware: malware that locks up your system or encrypts essential files
Scams: the impersonation of known brands or entities to obtain money
System and network attacks: internal or external attempts to illicitly access your business systems

Ransomware continues to be a major threat to all Australian businesses, and small businesses specifically are constantly under attack. (Note: if you back up your business data regularly you are less likely to need to pay a ransom for its return.)

Essential steps for SMEs to safeguard their cyber security

The costs associated with data breaches, business downtime, legal fees and reputational damage are high. In the 2021‒2022 financial year the average cost per cybercrime reported to the ACSC rose to over $39,000 for small businesses. For 2022‒23 this figure rose by more than 10% to $46,000. This is enough to send some companies to the wall, but help is available, firstly through simple security measures, and secondly through cyber insurance.

The first step would be to secure your systems and accounts by:

  • using strong passwords or, better still, passphrases
  • putting automatic updates on your software (patching)
  • using security software — technical controls
  • backing up your info so it can be restored
  • securing your network and external services
  • resetting devices before selling or disposing of them
  • keeping your devices locked and physically secure
  • protecting your business data
  • educating employees — most attacks are the result of human error
  • making an emergency plan for a data breach
  • staying informed about cyber risks and security advice.

The Australian Government provides support through its recommended risk management framework called the Essential Eight1. The government website provides clear directives for the specific controls that need to be implemented in order to achieve a reasonable level of cyber security for your business. There is a small business guide2 which breaks these controls down into easy to understand sections.

Could your cyber security be jeopardised by your IT service provider?

We have seen an uptick in the incidence of expensive claims resulting from cyber attacks on IT service providers of small businesses. Often these managed service providers have weaknesses in their own security which then impact their clients.

Managed service providers are a major target for cyber criminals due to their ability to hit multiple victims in one attack. For this reason you should be asking the following questions of yourself and your IT service providers:

  • do you have a written contract in place?
  • does it provide clear scope of their services?
  • is it clear who has the responsibility to manage your cyber security?
  • do you know what would happen in the event of a cyber breach?
  • is there a clear response plan in place?
  • who will pay for the cost of a cyber breach?

Why SMEs need cyber insurance

Cyber insurance is now accessible and affordable to businesses of all sizes. Your Gallagher cyber insurance broker can run scans of your IT environment and help you understand where your risks are.

Without insurance your business will bear all the costs involved with a data breach, which can escalate very quickly. Insurance provides protection from when you first suspect you have a problem until you're back to business as usual and gives you access to experts who guide you through all the steps involved.

watch the webinar


1Australian Centre for Cyber Security's Essential Eight, Australian Government, Australian Signals Directorate, 27 Nov 2023.

2Small Business Cyber Security Guide, Australian Government, Australian Signals Directorate, June 2023.


Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312