Key points
- More than half of Business Radar respondents believe their business is not an attractive target for cybercrime
- Ambiguity in responsibility for cybersecurity could leave businesses at risk
- With cybercrime on the rise, a practised response plan and communications strategy is critical
Pitcher Partners Business Radar report has shown that business leaders may overestimate their organisation’s preparedness for a cyber-attack or data breach, potentially leading to underestimation of the risks they face. While cybersecurity is a top priority for most mid-market companies, there is some ambiguity regarding who is responsible for cybersecurity. 54% of respondents named the IT team as having some responsibility, while 40% named managers and supervisors, 31% named executive leadership, 31% named all employees, and 19% named owners. Surprisingly, only 16% of respondents believed that the company board is responsible for cybersecurity, despite warnings from the Australian Securities and Investments Commission (ASIC). ASIC chairman Joe Longo said at the start of the year: “From my perspective, I see (cybersecurity) as the top of the house, the board of directors level, issue.’
Size doesn’t deter when it comes to cybercrime
While almost half of those who responded believed their business was not an attractive target, it’s important to note that cyber breaches are on the rise. The Office of the Australian Information Commissioner reported a 26% increase in cyber breaches notified from July to December 2022 compared to the first half of the year. Most of these breaches (88%) involved contact and identity information, which every business holds in vast quantities.
It’s important to be aware that outsourcing IT services does not necessarily remove risk for the business, as this is not true both legally and practically. In fact, 45% of respondents believed that outsourcing IT services reduces risk, and this number rose to 59% among highly confident businesses. This indicates poor awareness of the risks associated with third-party and supply chain security management.
While they may feel that they are ‘small financial fish’ in the cybercrime pond which can lead to a false sense of security, small businesses are often targeted because they represent an easier access point to larger organisations in their supply chain. Additionally, they may not be as well defended as larger organisations and hold volumes of highly sensitive data. Therefore, it’s important to have a documented incident response plan in place, with clear processes to contain the breach and remediate the damage.
Proactivity is key, prepare and practise
Preparing for a cyber-attack should involve a communications plan, as it’s crucial to be able to respond quickly and effectively during a crisis. Businesses should also be aware of their obligations for reporting an incident to the appropriate people in their organisation and regulatory authorities. Preparing well should also involve workshopping and practising response plans and communication strategies ahead of an actual threat, because arranging one in the middle of a crisis will not allow the business to be responsive. The impact of a data breach can be severe, including exposure of critical data, loss of confidence from investors, class actions by affected customers, and loss of revenue and jobs. The average cost of a ransomware attack globally is now $6.5 million according to IBM’s 2022 Cost of a Data Breach report, and rising sharply every year as attacks become more sophisticated.
Prudent business leaders should revisit their cybersecurity plans to ensure they are sound and that people at all levels of the organisation understand their role and responsibilities in case of a breach. Investing in cybersecurity can have a positive impact on a business, protecting from potential risks and helping to maintain a reputation and relationships with customers and suppliers.