In the coming years, cyber risk is forecast to substantially cost businesses globally in lost revenue. Last year, we suggested that Small and Medium-sized Enterprises (SMEs) in Australia were the “low hanging fruit” for threat actors. Though this year’s statistics are no different, the story takes a different turn with many SMEs unaware of their regulatory obligations. Do SMEs think they are above the law?
While larger companies seem to understand their obligations, SMEs may have missed the memo. Less than one third (31%) of Australian SMEs are aware of their obligations under the Notifiable Data Breaches (NDB) and just under half (47%) say they are not aware. One in five (21%) of those surveyed say they did not fall under the scheme.
The overconfidence in being able to manage cyber risks still exists among SMEs in Australia. 79% of respondents are confident they can overcome a breach by sophisticated hackers within 24 hours, while 32% believe that they will not experience a cyber attack.
In fact, 49% of SMEs have experienced a cyber incident in the past year. Employers are also not confident (41%) that their employees who have access to sensitive data are fully aware of their data privacy responsibilities. Yet, less than half (49%) of SMEs have a data breach response plan.
Currently, only one quarter (27%) of SMEs have cyber risk insurance, while half (50%) have never been covered. Nearly one in ten (9%) have let their cover lapse while a further 14% weren’t sure if they have cover or not. Half (49%) of SMEs did not purchase insurance either before or after an incident – still a high number, but an improvement on the 62% from 2018.
With SMEs making up 96% of all businesses in Australia, they will be hardest hit by cyber incidents without good risk mitigation, incident response planning and the consideration of cyber insurance.
These findings, based on the Chubb SME Cyber Preparedness Report 2019: Ignorance is Risk, show that there is a need for SMEs to be aware of their regulatory obligations, and to be better prepared to prevent and overcome cyber incidents.
Ignorance is Risk - Australia SME Cyber Preparedness Report 2019