While businesses generally have some awareness of cyber security risks, we often see smaller businesses think of themselves as inconsequential targets compared to larger organisations with more assets and financial wealth.
The reality is that there’s no correlation between business size and risk. In fact, small businesses are an as big – if not a bigger – cyber security target because they are perceived as easier to compromise, and while the payoff may not be as big, it’s still large enough to hurt. The average cost of an incident to a small business is about $9000, and that only covers the incident response, not ongoing costs such as remediation and market or reputation damage.
Most of the time, the amount of focus and investment Australian SMBs give to cyber security corresponds to direct or third-party exposure to the risks. We tend to find businesses relying on direct or indirect knowledge of another business/industry close to them being breached. Less commonly, some businesses have a staff member who has knowledge of cyber security threats and is convinced of the benefit in conducting a risk assessment, risk reduction or threat mitigation exercise and becomes the primary reason that their organisation will act and invest in cyber security.
However, a broader discussion on cyber security has started to take place among Australian SMBs. The catalyst for this shift is the Australian Government, which is offering credits and tax offsets for SMBs to invest particularly in “cyber security systems” and other digital tooling.
Since the measure was unveiled in the 2022-23 Budget, we’ve seen a marked increase in the amount of cyber security discussions. The tax offset removes the cost of entry to cyber security as being a potential barrier. It encourages and rewards small businesses that take cyber security seriously.
It also shows small businesses that they should be investing in cyber security, and that it can no longer be deprioritised. When the Government raises cyber security of SMBs as an issue, and puts funding behind mitigating it, this acts as a strong signal for business as they set priorities for 2022 and beyond.
Making the first move: an independent assessment
One at a time, as SMBs start to take up the offer of cyber security investment assistance, they have the capability to be able to offset the cost of implementing these protective services that they potentially wouldn’t have accessed before.
But how they approach the space, where they may have limited or no internal domain expertise, can be challenging.
We’re seeing a lot more small businesses seek an independent cyber security assessment to understand where they stand now and how their newfound budget can be best spent.
What they are most keen to understand is their current state of play and where their cyber security risks are. It is likely that Australian SMBs will baseline themselves against key standards such as the CIS Top 18 cyber security controls or – closer to home – the Essential Eight controls written by the Australian Signals Directorate. Both have traditionally provided guidance and ‘north star’ goals for all businesses that are investing to improve cyber security postures. They also make useful baseline measures for SMBs, as all businesses can equally benefit from the application of best practices to whatever discipline or domain they are working in.
Given SMB budgets are still going to be small, regardless of Government assistance, it is very likely that the result of these assessments will drive SMBs to consume a mix of managed cyber security services. The exact mix will depend on the outcome of the assessment, but managed services generally are the most cost-effective way to access otherwise high-end levels of protection, avoiding significant upfront outlay while also leveraging the expertise of the managed service provider and the vendor whose technology is used.
The combined efforts of all parties involved will act as a force multiplier for the security posture of individual Australian SMBs, and for the sector generally.