Lots of small to medium-sized businesses aren't.

According to the Federal Government’s Australian Cyber Security Centre, many businesses with outsourced IT security “believe they are better protected than they really are”. The agency receives around 144 reports of cybercrime every single day—with the average attack costing a business around $39,000. While in New Zealand, according to Stats NZ, six per cent of New Zealand businesses have experienced a cyber attack in the past two financial years that has resulted in loss or damage. Sixty per cent were malware attacks and 42 per cent were attacks by hackers.

Samuel Rogers is head of cyber insurance at Dual Asia Pacific. He says cybersecurity refers to the protection of sensitive business-critical information, data and systems from outside interference—a cyber attack.

He said it is a mistake for small-business owners to think they are too small for hackers and cybercriminals to bother with.

“Small businesses are viewed by threat actors as low-hanging fruit,” Samuel said.

Even if you’re not specifically targeted, Samuel said it is very common for small businesses to get caught up in large-scale ransomware-as-a-service style attacks, which might affect your cloud service provider or customer relationship management system.

“Most of the time, cyber attacks arrive in a spam email,” Samuel said. “I think there’s a belief in the business community that cyber attacks involve somebody hacking into a network, compromising an antivirus platform or breaking through a firewall. That’s generally not the entry method that a lot of threat actors use, especially in a small- business space.

“What you’ll normally see is just an email that purports to be something from a bank or from a retail platform or potentially from a customer that entices somebody to click on something or download a PDF document or something like that. It looks legitimate, somebody clicks on it and it will often lead to a duplicate website which asks them to type in credentials or uploads an executable file on their PC, which then allows a threat actor to get access.

So, it bypasses all of those more traditional methods of protecting systems. That tends to be the most common form of loss that we’re seeing.”

Samuel recommends several forms of protection, including multifactor authentication, employee training, web and email filtering, privileged access management, and working with third-party vendors to ensure proper security measures are in place.

He also recommends cyber insurance—which not only provides coverage for cyber attack incidents but also provides help with incident response, such as forensics, notification expenses, public relations, and legal support.

“If you buy a cyber insurance policy, you can get access to a panel of those providers that will do that for you; that’s bundled within the policy itself,” Samuel said. “Then you get access to all the insurance elements as well , which can cover the cost of data and system restoration. If there is encrypted data or damaged data, you can get the cost of actually restoring that data and technical assistance in restoring it or potentially re-creating it from scratch. As for the payment for ransoms, this is a question that comes up a lot, and there is a legal process that’s involved in determining whether a ransom is actually insurable or whether it should be paid, because you could potentially be in violation of sanctions.”

They’re all headaches most Members will want to avoid, and will certainly want help within the event of a cyber attack—and having the right protection helps ensure you have all the assistance you need.

Contact your local Risk Account Manager for more information, or simply call 1800 007 022 in Australia or 0800 555 303 in New Zealand, or email info@capricornrisk.com for assistance.

*Cover may differ based on each protection or insurance product. Steps you may be required to take to attract protection under the relevant product may also differ.

In Australia: 1Products sold through Capricorn Risk Services Pty Ltd (ABN 91 111 632 789) are: (i) discretionary risk protection products issued by Capricorn Mutual Ltd; and (ii) general insurance products issued by a range of insurers and brokered through Capricorn Insurance Services Pty Ltd. Before deciding to acquire any product, you should consider the Product Disclosure Statement available from Capricorn Risk Services Pty Ltd to see if the product is appropriate for you. Capricorn Risk Services Pty Ltd is a Corporate Authorised Representative (No. 460893) of Capricorn Mutual Ltd (AFSL 230038) and Capricorn Insurance Services Pty Ltd (AFSL 435197). For its protection, Capricorn Mutual Ltd has published a Target Market Determination which is available at capricorn.coop/about/capricorn-mutual. Capricorn Insurance Services subscribes to National Insurance Brokers Association of Australia's (NIBA) Insurance Brokers Code of Practice, available at cap.coop/NIBA.

In New Zealand: 1Products sold through Capricorn Risk Services Pty Ltd include discretionary risk protection and general insurance products. Discretionary risk protection is issued out of Australia by Capricorn Mutual Ltd. Before deciding to acquire discretionary risk protection, you should consider the Product Disclosure Statement to see if it is appropriate for you. This can be obtained from Capricorn Risk Services by phoning 0800 555 303, emailing info@capricornrisk.com or checking the website capricorn.coop/risk. General insurance products are issued by a range of insurers and are available through Capricorn Risk Services Pty Ltd as a member broker of PSC Connect NZ Limited. Capricorn Risk Services is a registered financial services provider (390466) and a corporate Authorised Representative (No. 460893) of Capricorn Mutual Ltd (AFSL 230038). Capricorn Mutual Ltd has published a Target Market Determination for its protection, which is available at capricorn.coop/about/capricorn-mutual.