We're a Baker Tilly network member
Learn more
Back to top
Busting the small business data breach myths
Article

Busting the small business data breach myths

Why would a sophisticated cyberattacker want to target a small business like mine?

It’s one of the most frequent questions I hear in conversations with clients and one that is full of misunderstandings.

There is often a state of hyper-alertness following high-profile data breaches on big organisations that have exposed the information of millions of people.

The cost of each cyberattack and data breach averaged around $3.35 million in Australia in 2020, and they have a long tail, with estimates that in some cases almost half of the costs are incurred 12 months after the attack.

But at the same time, high profile attacks draw a feeling of relief within small and medium-sized business, who are grateful that they don’t have the volumes of personal information and cash of big firms, so they believe they will never be hit.

The problem with the opening question is three assumptions behind it – that attackers can’t be bothered with small outfits, the notion of sophistication, and an unawareness of the value held by small and medium businesses.

Myth 1: SMBs are not cyber targets

Information gathered by the Office of Australian Information Commissioner shows that, in the six months to December 2021, 96% of data breaches affected 5000 individuals or fewer, and 71% affected 100 people or fewer.

That’s right in the small business ballpark.

Pitcher Partners’ recent Business Radar 2022 report revealed that a quarter of mid-market businesses have experienced a cyberattack of some kind, everything from text message phishing to ransomware attacks.

However, the real number may be even higher and many mid-market businesses may be reluctant to speak up through fear or embarrassment.

Others may have been compromised and just don’t know yet. I’m aware of one company which had no reason to suspect a data breach until the police showed up on their doorstep. Criminals had been lurking in their networks for 12 months and data linked to the company had been found.

Cyberattacks and data breaches hit small and medium businesses more often than big businesses simply because they are more vulnerable.

Myth 2: ‘Sophisticated’ cybercriminals

Small businesses don’t necessarily have millions of dollars in the bank, but they still have two things that attackers want – data and connections.

In the mind of the community, cyberattacks conjure pictures of teams of tech-savvy crooks writing code in a basement to crack open banks and cash-rich businesses.

For sure, there are instances where cyber criminals are sophisticated outfits. But they are far more likely to share a trait with every other common crook – they are opportunists.

The reality is they simply take advantage of a security gap or exploit a known vulnerability from running old, unpatched software.

Very little in cyberspace is sophisticated – often, breaches start with people disclosing passwords.

Myth 3: My company isn’t valuable enough

A cash ransom is not always the end game. Reconnaissance is equally important.

Information gained from smaller, more easily accessible organisations about systems and networks is preparation for more lucrative operations.

If your small operation supplies a big mining company or major manufacturer, who does it make more sense to target in the first instance?

Attackers gather details about systems, expose client relationships and can gather confidential information about directors, partners and other stakeholders.

There is also vital data concerning customers and suppliers such as identification, as we have seen in recent breaches of high-profile companies.

If you are the weak link that allowed an attacker to break in, will businesses and customers still want to keep working with your business?

Simple steps to prepare, defend and act

Most attacks are preventable and business leaders need to focus on what they can control.

Identify the most critical data assets and take every reasonable measure to ensure they are protected, rather than be overwhelmed by trying to cover all bases to the same depth.

Ensure that the business will actually know when a breach has occurred. Without this element, it may be months before an organisation is even aware of an attack, let alone how much it has been compromised.

Finally, have an action plan prepared if a breach does occur.

The plan needs to be detailed because the response to different attacks will vary, and business leaders need to know their regulatory obligations and notification requirements.

Data breach threats have been around for quite some time, yet myths persist that serve to excuse business leaders from preparing.

Cyberattacks are not about necessarily exploiting the wealthiest, but the businesses more likely to underspend in their digital protection.

This content is general commentary only and does not constitute advice. Before making any decision or taking any action in relation to the content, you should consult your professional advisor. To the maximum extent permitted by law, neither Pitcher Partners or its affiliated entities, nor any of our employees will be liable for any loss, damage, liability or claim whatsoever suffered or incurred arising directly or indirectly out of the use or reliance on the material contained in this content. Pitcher Partners is an association of independent firms. Pitcher Partners is a member of the global network of Baker Tilly International Limited, the members of which are separate and independent legal entities. Liability limited by a scheme approved under professional standards legislation.

Our experts

Andrew Beitz

Andrew Beitz

Principal

Adelaide


View profile
Norman Thurecht

Norman Thurecht

Managing Partner

Brisbane


View profile
Rob McKie

Rob McKie

Consultant

Melbourne


View profile
Scott Edden

Scott Edden

Partner

Newcastle and Hunter


View profile
Adam Irwin

Adam Irwin

Managing Partner

Sydney


View profile

Pitcher Partners insights

Get the latest Pitcher Partners updates direct to your inbox

Thank you for you interest

How can we help you?

Business or personal advice
General information
Career information
Media enquiries
Contact expert
Become a member
Specialist query
Please provide as much detail to ensure appropriate allocation of your query
Please highlight a realistic time frame that will enable us to provide advice within a suitable and timely manner. Please note given conflicting demands with our senior personnel, we will endeavour to respond to you within the nominated time frame. If you require an urgent response, please contact us on 03 8610 5477.
CPN Enquiry
Business Radar 2024
Dealmakers 2024
Tax Facts 2024-25
Search by industry