16
Cyber Scare A look at small to medium-sized business and the emergence of cybercrime in Australia May 2017
Cyber ScareA look at small to medium-sized business and the emergence of cybercrime in Australia
May 2017
The study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Key findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Respondent demographics . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Survey findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Online activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Everyone’s an expert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Confident but concerned . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
How to handle the risk .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Getting help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Reported cybercrime events .. . . . . . . . . . . . . . . . . . . 14
Following the event .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Tools of the trade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
What you can do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Methodology .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Who we are .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Contents
The NSW Small Business Commissioner
The NSW Small Business Commissioner has commissioned this research, in partnership with the University of Technology Sydney, on business attitudes and views of cybercrime. This is so that we can better inform government, industry and other stakeholders of cyber security awareness amongst
small to medium-sized business owners in NSW.
The study
Australian small to medium-sized enterprises1 (SMEs), as with many other organisations globally, are a potential target for cybercriminals. This is partially due to the high rate of internet usage amongst businesses in Australia, at 95%2, and the general affluence of many businesses in Australia, as indicated by the nation’s sustained economic conditions and AAA credit rating.3 It can also be attributed to the increasing pressure for SMEs to move toward a digital, online and mobile marketplace.4
Many SMEs, along with larger organisations, use digital technology out of business necessity. Leveraging digital technologies is now fundamental to the success and competitiveness of many organisations. Digital technology creates universal access for an organisation’s products and services through a global online marketplace.5 It also requires less capital outlay, fewer staff and allows for shorter supply chains, faster manufacturing lead times and greater automation.
1 SMEs are businesses employing fewer than 200 employees, Australian Bureau of Statistics (ABS) Report 8165.0 2016.
2 ABS Report 8129.0 2015.3 Janda 2016.4 Mazzarol, Reboud and Clark 2015, Accenture 2014, Acs and
Preston 1997.5 Mazzarol, Reboud and Clark 2015.
Cybercrime is rated by SMEs as the
5th biggest risk to their business
The emergence of digital technology as a global, shared infrastructure has contributed to a growing risk of cyber security events or cybercrime. Cyber security events, previously unknown or rare in the 1990s, now occur globally, every second that an
organisation operates online.
For the purposes of this study ‘cybercrime’ is considered to be dishonest or criminal activity online or by phone. Cybercrime can include instances of deceptive conduct like malicious software or viruses, online or phone scams, theft of critical business information, fake overpayments, fake invoicing or hacking a business to obtain a customer’s details or
access to a supplier’s network.6
The cost of cybercrime to businesses in Australia is rising exponentially, costing Australians an estimated $1 billion each year.7 Cybercrime costs businesses globally more than $3 trillion annually, and it is
anticipated that by 2021 this will exceed $6 trillion.8
6 Australian Government 2013, Cybercrime Act 2001, Schaper and Weber 2012.
7 Australian Government, Australia’s Cyber Security Strategy, 2016.8 Cybersecurity Ventures 2016.
3
NSW Small Business Commissioner Cyber Report 2017
Key findings
9 Australian Government 2013, Cybercrime Act 2001, Schaper and Weber 2012. References: Schaper, M.T. and Weber, P. (2012) ‘Understanding Small Business Scams’, Journal of Enterprising Culture, 20(3) pp. 333-356.
10 Australian Government, 2017, Australia’s Cyber Security Strategy – enabling innovation, growth and prosperity – First annual update, Attorney-General’s Department, Canberra. Cyber security Ventures, 2016, Hackerpocalypse: A Cybercrime Revelation, Cyber security Ventures.
SMEs believe their limited online presence
protects them from cyber crime
The most frequent digital activities of SMEs are receiving and sending emails.
Almost 50% of SMEs have a social media presence. It is through these activities that SME owner-operators may, unknowingly, expose their businesses to cyber security risks.
The cost of cybercrime to businesses in Australia is rising exponentially, costing Australians an estimated
$1 billion each year.
Cybercrime costs businesses globally more than $3 trillion annually and it is anticipated that by 2021 this will exceed $6 trillion.10
Small to medium-sized enterprises (SMEs) have a limited online presence
50% of SMEs limit their digital footprint to a business website with contact details and social media.
Only 20% of businesses sell their products or services online.
cybercrime noun
dishonest or criminal activity online or by phone. Cybercrime can include deceptive conduct like malicious software or viruses, online or phone scams, theft of critical business information, fake overpayments, fake invoicing or hacking a business to obtain a customer’s details or access to a supplier’s network.9
What scared me most was when my email was redirected … I was scared for my family and if their personal information had been compromised from the hack. I was also concerned for my clients’ data and the confidential information that I held for them. Small business owner and cybercrime victim
4
SMEs feel informed about cybercrime
When it comes to the perception of cybercrime, almost 2 in 3 SME owners feel well-informed about the risks of cybercrime.
80% of SME owners feel their business can respond to a security breach, making SMEs more confident than some ASX-listed companies.
Cybercrime is rated by SMEs as the
5th biggest risk to their business
SMEs are most concerned about fraudulent emails or phone calls, social media hacking, online banking fraud, crypto-ransomware and malware.
SMEs manage the risks to their business through their own experience
75% indicated they are influenced by their own experience rather than advice they received from a specialist (lawyer, accountant).
SMEs want a tool to help them manage cybercrime
93% said they would like a tool. There is a need for risk-management tools for SME owner-operators to protect their businesses from cybercrime.
Less than 30% of SMEs report having
suffered a cybercrime event.
When it comes to seeking helpIT Forensic consultants ranked highest 60%
then Google 40%
Police 35%
and then the Government 34%?
30%
75%
[With the help of an IT expert] I am so much more savvy now! My website is being redone—SSL and a more secure server, and information provided by my clients will be encrypted. All my passwords to my emails now are nonsense words. Small business owner and cybercrime victim
5
NSW Small Business Commissioner Cyber Report 2017
Respondent demographics
The survey focused on NSW small to medium-sized enterprises (SMEs), that is, those businesses employing fewer than 200 full-time equivalent employees. This resulted in a total sample size after data cleansing of 1,089.
The large sample size and the comparability of the research findings with ABS business data means these findings are representative of the entire SME population, with a confidence interval between 91-96%.
The survey responses represent the roles of business owner-operators (75%), directors (19%) and business managers (6%).
Roles and responsibilities
A total of 94% of all respondents were small businesses employing fewer than 20 full-time equivalent employees. This corresponds with ABS data that 98% of businesses in Australia are small businesses.11 Only 6% of respondents were medium-sized businesses employing 20 to 199 employees (Table 2: Employees). This means the data overwhelmingly represents small businesses.
Employees
Almost 60% of respondents had a turnover of less than $200,000. This corresponds with ABS data that 60% of businesses in Australia reported a turnover of less than $200,000 (Table 3: Turnover).12
Turnover
44.4
30.1
12.1 7.3 5.9
0
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
None 1-4 5-10 10-19 20-199
0 10 20 30 40
$50,000 or less
$50,000 to $200,000
$200,000 to $2m
$2m or more
Prefer not to say
TABLE 3: TURNOVER
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
15-19Yrs
20-24Yrs
25-34Yrs
35-44Yrs
45-54Yrs
55-59Yrs
60-64Yrs
65 andover
TABLE 4: AGE AND YEARS EXPERIENCE
36-60Yrs Exp
31-35Yrs Exp
26-30Yrs Exp
21-25Yrs Exp
16-20Yrs Exp
11-15Yrs Exp
6-10Yrs Exp
0-5Yrs Exp
0 10% 20% 30% 40%
$50,000 or less
$50,000 to $200,000
$200,000 to $2m
$2m or more
Prefer not to say
TABLE 3: TURNOVER
6%
75%
19%
Owner
Director
Business manager
Cost of cybercrime in Australia is an estimated
$1 billion each year.
Table 1
Table 2
Table 3
11 ABS 8165.0 201612 ABS 8165.0 2016
6
A total of 94% of all respondents were small businesses employing fewer than 20 full-time equivalent employees. This corresponds with ABS data that 98% of businesses in Australia are small businesses.11 Only 6% of respondents were medium-sized businesses employing 20 to 199 employees (Table 2: Employees). This means the data overwhelmingly represents small businesses.
Employees
Almost 60% of respondents had a turnover of less than $200,000. This corresponds with ABS data that 60% of businesses in Australia reported a turnover of less than $200,000 (Table 3: Turnover).12
Turnover
44.4
30.1
12.1 7.3 5.9
0
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
None 1-4 5-10 10-19 20-199
0 10 20 30 40
$50,000 or less
$50,000 to $200,000
$200,000 to $2m
$2m or more
Prefer not to say
TABLE 3: TURNOVER
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
15-19Yrs
20-24Yrs
25-34Yrs
35-44Yrs
45-54Yrs
55-59Yrs
60-64Yrs
65 andover
TABLE 4: AGE AND YEARS EXPERIENCE
36-60Yrs Exp
31-35Yrs Exp
26-30Yrs Exp
21-25Yrs Exp
16-20Yrs Exp
11-15Yrs Exp
6-10Yrs Exp
0-5Yrs Exp
0 10% 20% 30% 40%
$50,000 or less
$50,000 to $200,000
$200,000 to $2m
$2m or more
Prefer not to say
TABLE 3: TURNOVER
The largest percentage of respondents by age was in the 45–54 age bracket, totaling 25%. This corresponds with ABS data that 28% of business operators in Australia fall within the 45–54 age bracket (Table 4: Age and years of experience).13
SME owner-operators had an average of three years’ experience in operating a business, despite overall results ranging between 1 and 60 years. Over 60% of all respondents had 10 years’ experience or less in operating a business.
Age and years of experience
Almost 40% of respondents to the online survey were female. This is slightly higher than the number of females represented by business operator demographics in Australia, as female business operators are represented at 34%.14 Notably, the female respondent size was higher in both regional and rural NSW at 50% respectively (Table 5: Age and gender).
Age and gender
0
20
40
60
80
100
120
140
160
15-19Yrs
20-24Yrs
25-34Yrs
35-44Yrs
45-54Yrs
55-59Yrs
60-64Yrs
65 andover
Table 5: Counts of repondent by Age and Gender
Male Female Transgender Prefer not to say
The largest percentage of respondents by age was in the
45-54 age bracket, totaling 25%.
40% of respondents to the online survey were female.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
15-19Yrs
20-24Yrs
25-34Yrs
35-44Yrs
45-54Yrs
55-59Yrs
60-64Yrs
65 andover
TABLE 4: AGE AND YEARS EXPERIENCE
36-60Yrs Exp
31-35Yrs Exp
26-30Yrs Exp
21-25Yrs Exp
16-20Yrs Exp
11-15Yrs Exp
6-10Yrs Exp
0-5Yrs Exp
Table 5
Table 4
13 ABS 8165.0 2016 14 Australian Bureau of Statistics 2015.
7
NSW Small Business Commissioner Cyber Report 2017
Almost 50% of respondents operated in metropolitan NSW (Sydney), while 35% were from regional NSW and 11% from rural NSW. Of those respondents, only 3% operated in another state or nationally, and 1% operated overseas in addition to operating a NSW-based business (Table 6: Business location).
Business location
The construction industry sector is under-represented in the sample, while the professional, scientific and technical services industry is over-represented. One reason for the high levels of respondents in this industry group may be the level of interest in cyber security as a topic in those sectors (Table 7: Industry sector).
Industry sector
0 5% 10% 15% 20% 25% 30%
Farming
Manufacturing
Construction
Retail & wholesale trade
Hospitality (accommodation, cafes and restaurants/bar)
Transport
Media & communications
Finance & insurance services
Rental, real estate & property services
Professional, scientific,technical services
Administrative services
Education & training
Health care andsocial assistance
Arts & recreation services
Table 7: INDUSTRY
ABS 2012 Sample
50% of respondents operated in metropolitan NSW (Sydney),
while were from regional NSW
and 11% from rural NSW.
0 5 10 15 20 25 30
Farming
Manufacturing
Construcon
Retail & Wholesale trade
Hospitality (Accommodaon,…
Transport
Media & Communicaons
Finance & Insurance services
Rental, Real Estate & Property…
Professional, Scienfic,…
Administrave services
Educaon & Training
Health Care and Social…
Arts & Recreaon services
%
Table 7: INDUSTRY
ABS 2012 Sample
0%
10%
20%
30%
40%
50%
60%
Metro NSW(Sydney)
RegionalNSW
RuralNSW
Nationally Overseas Online only
OtherAustralianstate orterritory
Table 6
Table 7
35%
8
Survey findingsOnline presence
While 95% of Australian businesses have internet access15, most SMEs have a limited online presence. Almost 50% of SMEs limit their online presence to only a business website with contact details and social media (Table 8: Online presence).
Other than the small percentage of SMEs —just 9%— that use an online platform such as Airbnb, Airtasker and Uber, SMEs were least likely to offer a business website with product viewing or purchasing functionality (only 20% of respondents).
Online presence
Interestingly, SMEs that indicated they were less knowledgeable about cybercrime had the largest online presence. Of those SMEs with a turnover of $2 million or more, 70% had a website with product viewing functionality, and 55% had a website with purchasing functionality. For SMEs in this turnover category, almost 60% stated they did not feel well-informed about the risks of cybercrime to
their business.
Females were more likely than males to have a website with online product viewing or purchasing functionality at almost 40% and 30% respectively. This compares to 28% and 16% of males.
Furthermore, 70% of SMEs with turnovers of $2m or more had websites with product viewing functions and 50% had purchasing functions. This reinforces reports that small businesses are 1.5 times more likely to be growing revenue if they have a strong
digital footprint.16
Although almost 50% of regional and rural SMEs most frequently shared their contact details with the Yellow or White Pages or Google, businesses in these locations were more likely than those in metropolitan Sydney to have a business website
with product viewing or online purchasing functions.
Finally, 25 to 34-year-old respondents had the highest proportion of online presence by age group: almost 50% and 47% respectively had websites with product viewing or purchasing functions.
38.9%
47.7%
31.0%
19.9%
49.4%
9.4%
0%
10%
20%
30%
40%
50%
60%
Table 8: Online presence
Yellow or White pages, Googleor other directory
Business website, with contactdetails
Business website, contactdetails, product viewing online
Business website, productviewing online, with functionto buy and deliver online
Social media (Facebook, Instagram, Twitter or other)
Online platform (Gumtree, Airtasker, AirBNB, Uber, Deliveroo)
Almost 50% of SMEs limit their online presence to only a business website with contact details and social media.
Table 8
15 ABS Report 8129.0 2015. 16 Deloitte Access Economics 2016.
9
NSW Small Business Commissioner Cyber Report 2017
Online activities
Although internet usage amongst businesses in Australia is at 95%17, almost 50% of SMEs believe that their business is protected from cybercrime through a limited online presence. Furthermore, the most frequent online activities of SMEs are receiving and sending emails (two or more each day) (Table 9: How often do you use the following online activities?). Additionally, almost 50% of SMEs have a social media presence. It is through these activities that SME owner-operators may, unknowingly, expose their businesses to cyber security risks. This is because, of the 294 billion emails sent each day, it is estimated
that 90% of these are spam.18
This may mean that in order to make it safer to do business online, SMEs may need to be educated on the risks of social media and email cybercrime.
The lesson is clearest from the small business owners
that have been victims of cybercrime.
How often do you use the following online activities?
1 Receiving and responding to emails
2 times per day
2 Online banking Every day
3 Reading news about my industry online
Every day, or once or twice a week
4 Reviewing regulatory updates in my industry online
Rarely
5 Buying goods or services online
Once a week, rarely
6 Selling goods or services
Rarely, never
The least frequent online activity was selling goods and services online, reinforcing the low levels of online presence amongst SMEs, at 20% of SME
respondents overall.Of those surveyed, 80% of SMEs feel they can respond to a security breach.
Only 10% of SMEs considered cybercrime a
number one priority.
Table 9
17 ABS Report 8129.0, 2015.18 Cybersecurity Ventures 2016.
But SMEs want help when it comes to tackling cybercrime.
Only 1 in 5 SME owner-operators purchases insurance products to protect them from cybercrime.
10
Everyone’s an expert
When it comes to the perception of cybercrime, almost two in three SMEs feels well-informed about the risks of cybercrime. This makes SMEs more confident than their equivalents in larger organisations or governments.19
Risks of cybercrime
Of SME respondents with turnovers of $2 million or more, 58% indicated that they were not well- informed about the risks of cybercrime to their business, while 64% of SME respondents with turnovers below this amount indicated a higher level of confidence (Table 10: Risks of cybercrime).
Older SME owner-operators aged between 55 and 64 years feel well- informed of the risks of cybercrime to their business (60%), while younger age groups, particularly those aged 25 to 34 years,
indicated they were not well-informed, at 51%.
Furthermore, a higher proportion of SME respondents from both regional and rural NSW (41%) indicated that they were not well- informed on the risks of cybercrime. This compares with only 26% of respondents from metropolitan Sydney.
Female respondents also indicated that they were not well-informed of the risks of cybercrime at 44%. However, this may be reflective of the higher proportions of females in both the age segment of 25 to 34 years and in regional and rural locations.
Do you believe your business has the expertise and the resources to respond to a security breach?
Of those surveyed, 80% of SMEs feel they can respond to a security breach. While only 20% of SMEs are confident that they have the expertise and resources to respond because they have done it before, over 60% of SMEs indicate that despite not having the resources or expertise, they are confident their business will be able to respond to a security breach. (Table 11: Do you believe your business has the expertise and resources to respond to a
security breach?)
This level of confidence may be due to the nature of SMEs, with owner-operators getting on with things and keeping their business running in the face of
many obstacles.
Yes, we’ve done this before
No, but I am confident we will get through it
No, and I’m concerned
19%
61%
20%
TABLE 10: DO YOU BELIEVE YOUR
98% of SMEs indicated they would seek help for cybercrime.
Not at all informed
Very well informed
I'm not sure
Fairly well informed
Not very well informed
48%29%
16%
4%
3%
Table 11
Table 10
19 Minter Ellison Lawyers 2016.
That’s ridiculous. It makes me think that they don’t understand what a cyber event can do and what can be done to their business Small business owner and cybercrime victim
11
NSW Small Business Commissioner Cyber Report 2017
Confident but concerned
SMEs did not rank cybercrime high on their list of the biggest risks to their business, ranking cybercrime fifth (Table 12: What do you see as the biggest risk to your business?). This contrasts with other research, which reported that 91% of experts stated that cyber security is a top priority at the board and executive level, and only 62% of cyber security novices say the same.20 In this study, only 10% of SMEs considered
cybercrime a number one priority.
What do you see as the biggest risk to your business?
1 Managing my overheads and expenses
2 Chasing payments and having enough cash to run my business
3 Competitors, and start-ups disrupting my business
4 Political uncertainty (reduced buyer confidence, failure of governance)
5 Cybercrime
6 Finding the right skilled employees for my business, unreliability, theft by employees
7 Someone physically stealing my business’ customer list, or business secrets
8 Environmental (natural catastrophe, other extreme weather events, climate change)
Despite the low priority, owner-operators are concerned generally about a variety of cyber security events. SMEs are most concerned about fraudulent emails or phone calls, social media hacking, online banking fraud, crypto-ransomware and malware (Table 13: Types of cybercrime).
Types of cybercrime Level of concern*
Business identity theft (somebody stealing your business’s data and impersonating your business)
Fairly concerned, Not very concerned
Receiving emails or phone calls fraudulently asking for access to your computer, logins, or business details, including seeking payment
Very concerned, Fairly concerned
Online supplier fraud where goods purchased are not delivered, counterfeit or not as advertised
Fairly concerned, Not very concerned
Not being able to access online services required for your business because of cyber-attacks
Fairly concerned
Your business’ social media or email account being hacked
Very concerned, Fairly concerned
Being a victim of bank card or online banking fraud (crypto-ransomware)
Very concerned
Being asked for payment in return for getting back control of your computer (crypto-ransomware)
Very concerned
Discovering malicious software (viruses, etc.) on your device (malware)
Very concerned
*two levels of concern indicate a bi-modal distribution
Less than 30% of SME respondents reported having suffered a cybercrime event.
Table 12 Table 13
20 Hiscox 2017.
12
How to handle the risk
Of the SMEs surveyed, 75% indicated they are influenced by their own experience when managing risks in their business. This compares with only a third indicating that managing risks was influenced by advice they received from a specialist (lawyer, accountant, broker, IT expert). Despite this overwhelming confidence, when it came to seeking help, less than 2% said they did not require help for responding to a cybercrime.
The research indicated that despite this startling confidence, 98% of SMEs indicated they would seek help for cybercrime. In fact, of those SMEs that said they ‘had the resources and skills necessary’ to respond to a cybercrime, a total of 65% believed they would contact an IT forensic consultant for cybercrime generally.
Protection
Almost 50% of SMEs believe their business is protected by cyber crime through a limited online presence or through their Microsoft Windows or Mac software and updates. SMEs appear reluctant to have a greater presence online, in order to reduce their exposure to cybercrime. This potentially overlooks some of the significant economic benefits that can be derived from product viewing and
purchasing functionality.21
Insurance is not used as a risk management tool by SMEs, with only one in five SMEs indicating that their business was protected from cybercrime through insurance products held. This might even be over-reported, as some SMEs may mistakenly believe they are covered under an insurance product.
Getting help
In the event of a cybercrime, 60% of SME respondents indicated that they would most likely seek help from an IT forensic consultant. Following this, Google (40%) was the most likely next source for help. Notably, the enforcement agencies and government ranked below these, with police at 36%, then finally, the government at 34% (Table 14: Where
would you get help?).
There remains a challenge, though, in helping SMEs identify the appropriate cyber security professional, as one small business owner stated:
Where would you get help? Percent
Nowhere 2%
IT forensic expert 60%
Previous experience or knowledge 29%
Business or industry associations 29%
Family, friends 20%
Other businesses 13%
Course, training seminar 8%
Government body or agency 34%
Mentor 10%
Business partner 9%
Internet or Google 40%
Insurer or insurance broker 14%
Police 35%
I wouldn’t know who to contact 10%
Percentages total more than 100%
Table 14
21 Deloitte Access Economics 2015.
IT Forensic consultant? What does that even mean? The average SME doesn’t understand what they need from IT. And no one is branding themselves correctly as able to help. My own web designer told me that it was beyond their own expertise, and I had to get a recommendation from a business colleague. Small business owner and cybercrime victim
13
NSW Small Business Commissioner Cyber Report 2017
Reported cybercrime events
Less than 30% of SME respondents reported having suffered a cybercrime event, which is a much lower
percentage than larger businesses report.
It has been reported that more than half of cyber security incidents target small businesses.22 Another report found that almost 60% of cybercrime
impacts SMEs.23
This may mean that many SMEs were largely unaware that they had suffered a breach.
Following the event
The following word cloud displays the most highly ranked phrases that SMEs use to respond following a cyber security event. Where is there more work to be done? Only one SME indicated they had an incident response plan, and no SMEs made mention of encryption. Both are recommended by professionals and industry as some of the best ways
for SMEs to protect themselves.
Tools of the trade
Looking at risk-management expenditure by SMEs, SMEs overwhelmingly indicated that they spent approximately $1,000 on computer software and hardware, while tax advice varied from no spend to $20,000. Furthermore, SMEs spent the least on insurance advice and legal advice, but spent up to $20,000 per year on insurance policies
To combat this, SMEs have strongly indicated that there is preference for resources or tools that would assist in reducing their businesses exposure to cybercrime. Of SME respondents, 93% said they would like a tool, and 70% confirmed they would pay for a tool. This indicates that there is a need for risk-management tools for SMEs to assist in protecting them from cybercrime (Table 15: Would you spend money on resources or tools to help you minimize your business’s exposure to cybercrime?).
Would you spend money on resources or tools to help you minimize your business’s exposure to cybercrime?
Answer Response Percent
Response Count
No, I don’t need any tools
6.8% 72
No, but I would like a free tool
22.4% 238
Yes, but less than $100
22.1% 234
$100 to $200 17.4% 185
$200 to$300 9.0% 95
$300 to $500 22.3% 237
Of SME respondents, 93% said they would like a tool, and
70% confirmed they would pay for a tool.
Table 15
22 Cybersecurity Ventures 2016.23 Symantec Corporation 2015.
Most people are starting to realise that there are only two different types of companies in the world: those that have been breached and know it and those that have been breached and don’t know it. Ted Schlein, Venture Capitalist at Kleiner Perkins Caufield & Byers
14
What you can do
There are several steps you can take as an SME owner-operator to protect your business from a cybercrime event and ensure your business’s most
confidential information is kept safe:
• educate and train staff
• continuously update software
• use two-factor identification for emails and payments
• encrypt important customer files.
Next steps
This important research will inform and help us design educational and practical tools aimed at assisting SMEs in preparing for and responding to a cyber security event. If you would like to get involved or would like to learn more, please contact us directly at [email protected]
Methodology
The survey questionnaire was designed from a number of global cyber security surveys and risk surveys. It was distributed via email to a number of randomly selected SMEs from the Australian Business Register, and businesses subscribed to our database. The survey was open from 9 January 2017 to 28 February 2017. Two prizes of Load and Go gift cards were drawn on 28 February 2017 and sent to two small business owners.
Who we are
The Office of the NSW Small Business Commissioner (OSBC) is in the business of creating positive and sustainable change for small businesses in NSW.
The OSBC works closely with a wide range of stakeholders—including small business owners, councils, government agencies and industry associations—to resolve disputes and identify and address the key issues facing small businesses in NSW.
Author: Skye Theodorou, Advisor (Advocacy and Strategic Projects), Office of the NSW Small Business Commissioner
ReferencesAustralian Bureau of Statistics, 2016, Report 8165.0 –
Counts of Australian Businesses, including Entries and
Exists, June 2011 to June 2015, Australian Bureau of
Statistics, Canberra.
Australian Bureau of Statistics, 2015, Report 8129.0 –
Business Use of Information Technology, 2013-2014,
Australian Bureau of Statistics, Canberra.
Australian Bureau of Statistics, 2015, A Profile of Australian
Women in Business – A Report prepared by the ABS for
the Office for Women, 2015, Australian Bureau of Statistics,
Canberra.
Australian Bureau of Statistics, 2013, Report 8175.0 – Counts
of Australian Business Operators, 2011-2012, Australian
Bureau of Statistics, Canberra.
Australian Government, 2017, Australia’s Cyber Security
Strategy – enabling innovation, growth and prosperity –
First annual update, Attorney-General’s Department,
Canberra.
Australian Government, 2013, National Plan to Combat
Cybercrime, Attorney-General’s Department, Canberra.
Cyber security Ventures, 2016, Hackerpocalypse:
A Cybercrime Revelation, Cyber security Ventures.
Deloitte Access Economics, 2016, Connected
Small Business.
Hiscox, Cyber Readiness Report, 2017, Hiscox Insurance
Company.
Janda, M, ‘Standard & Poor’s reiterates Australian credit
rating warning’, Australian Broadcasting Corporation,
22 November 2016, viewed 19 February 2017, www.abc.
net.au/news/2016-11-22/standard-and-poors-reiterates-
australian-credit-rating-warning/8045466.
Mazzarol, T., Reboud, S. & Clark, D. 2015, ‘The financial
management practices of small to medium enterprises’,
paper presented to the 28th Annual SEAANZ Conference
Proceedings, Melbourne, 1-3 July 2015.
Minter Ellison Lawyers, 2016, Perspectives on Cyber Risk.
Schaper, M.T. and Weber, P. (2012) ‘Understanding Small
Business Scams’, Journal of Enterprising Culture, 20(3) pp.
333-356.
Symantec Corporation, 2015, Internet Security Threat
Report 2015.
15
www.smallbusiness.nsw.gov.au
