How secure is your business online?

Every 39 seconds, a hack occurs – and SMEs are increasingly vulnerable. Macquarie’s recent Breakfast Briefing shared some important tips on building resilience to fraud.

Social engineering and email compromise are on the rise

As businesses adopt and depend on increasingly advanced digital technology, the risks of doing business evolve. And while larger organisations have strengthened their cybersecurity systems and protocols, smaller firms become more vulnerable – because cyber-criminals know their weak spots make them easier targets.

“There are two types of businesses: those who have been hacked, and those that will be,” Macquarie Group’s Associate Director - Fraud Investigations Jonathan Martin told the audience at Macquarie Bank’s breakfast briefing, Fraud awareness and resilience.

The data paints a worrying picture. Every year, Australian organisations lose $60million to cybersecurity breaches - but spend just 6% of their digital budget on cyber security.1 And according to Scott Curley, Director - Professional Risks and Trade Credit, GSA Insurance Brokers, every 39 seconds, a hack occurs – with 43% of cyber attacks targeting small and mid-sized businesses.

Yet a 2017 survey found 56% of Australian small businesses don’t have cyber protection – or assume it’s already covered through their business insurance.2

Curley said that’s a common myth. Professional indemnity, business and public liability insurance won’t cover things like cyber extortion, data loss through a hack, or third party costs.

“We insure our office buildings, even though they have sprinklers and a back to base fire alarm. But 99% of your revenue might be generated online, and you don’t think to protect that aspect of your business,” he said.

The changing face of fraud

Martin described the many different ways criminals are now extracting money from businesses – from ATO scams to fake documents and malware. “People trust too easily. They don’t look at the details – but hackers do.”

He is seeing an increase in payment modification, and daily reports of email compromise. “It’s important to verify any new instructions – call the sender to check it’s really from them.”

There are now over 200 million forms of malware, and they could be entering your business inboxes on a daily basis.

“Phishing is where you receive an email that appears to be from a trusted source, asking you to do something such as ‘click to verify your details’ or ‘download an attachment’,” explained Martin. That attachment could contain malicious code which injects a new web page into your browser – it might look like your bank’s online banking portal, for example.

“We’re also seeing an increase in ransomware demands – especially in small and mid-sized businesses,” said Martin. “You click on a link or attachment from a ‘trusted’ sender, and it launches a code that encrypts your files or locks down your screens and servers so you simply can’t operate.” With pressure to keep the business running, many business owners pay the ransom – often in bitcoin.

Not all scams come through email. Social engineering, where hackers manipulate people for confidential information, can often happen over the phone.

“Don’t make a payment on impulse. Take a step back if someone phones making urgent demands,” urged Martin.

An exponential effect on business bottom line

“Fraud can cause significant damage. You could lose a month’s turnover, but there are also long lasting damaging effects to reputation and staff morale,” Martin said.

With Australia’s new data breach laws now in place, any organisation with revenue exceeding $3million must comply by ‘promptly notifying individuals at likely risk of serious harm’ of any breach in their personal data.3

Otherwise, you could face fines of up to $2.1million. And even when you do comply, there is the cost of notifying thousands of clients and containing any reputational damage.

Check your internal controls

Many businesses believe their third party providers, such as cloud providers or web hosting platforms, are taking care of this issue. But the cloud is just as vulnerable as a data centre. “We see increasingly reliance on third party services,” said Martin. “Do some due diligence to make sure they’re covered.”

And then how do you protect yourself from the risk of cyber fraud?

First it’s important to get your business systems and protocols in place. Get your systems checked by a reputable IT company to make sure there are no trojans, malware or viruses. Educate your team on what a phishing email looks like, any red flags to watch out for, and how to report an issue if they spot something.

“All this can also happen in their home if they work remotely, so make sure their home wi-fi is secure,” noted Martin.

Outsource your cyber response

Most smaller businesses don’t have the skills to negotiate with hackers or set up a data breach response team. But if you have cyber insurance, your insurer will set up a panel of experts to mitigate the loss and take immediate action.

“They know the first six to 12 hours of response are critical,” said Curley. “If it’s a denial of service attack or ransomware, they’ll check how real the threat is and if necessary pay the ransom.”

You can expect your cyber policy to also take care of the costs of credit card monitoring (if that data is lost) and crisis management, as well as potential third party costs such as litigation, penalties, and notification costs. “In our office alone, we see at least one claim a week for some form of social engineering fraud,” said Curley.

It seems that cyber insurance is the one risk tool your business can’t afford to operate without. But given it’s a relatively new product in Australia, it’s worth getting a broker’s advice first.

Related products

Subscribe to our monthly newsletter

We bring you technical updates, financial insights and industry expertise.



Wider View of Wealth newsletter preview
Thank you for subscribing.
Please try again.

Simply fill out your details below:

By submitting this enquiry, I acknowledge that I have read the Macquarie Group privacy policy, and understand that Macquarie will use my personal information to contact me in relation to my enquiry, and for other general marketing purposes.

You can change your marketing preferences by telephoning Macquarie on 1800 806 310 or customising your preferences with the unsubscribe link included in our marketing communications. Please note that all of our calls are recorded. If you do not want your call to be recorded, please advise the Macquarie staff member.

Contact us

Monday to Friday 8am – 6pm (Sydney time)

1800 174 945

Home loans

Compare our home loan offering.

Get in touch

Speak to our leading team.

Additional information

Any information on this page in relation to mortgages has been prepared by Macquarie Securitisation Limited (MSL) Australian Credit Licence (ACL) 237863 ACN 003 297 336.

Unless stated otherwise, this information has been prepared by Macquarie Bank Limited ABN 46 008 583 542 AFSL and Australian Credit Licence 237502.

This information is provided for the use of licensed and accredited brokers and financial advisers only. In no circumstances is it to be used by a potential client for the purposes of making a decision about a financial product or class of products.