Cyber security is a business risk, not just an IT problem. An increasing number of individuals and businesses are falling victim to various forms of cyber-attacks, with cyber criminals searching for vulnerabilities in IT set ups and are catching employees off guard. As a result, small businesses are susceptible to attacks, which can have devastating consequences.

The following staggering statistics have come out of the Annual Cyber Threat Report for 2022:

  • The Australian Cyber Security Centre received over 76,000 cybercrime reports, equating to one report every 7 minutes;
  • The average cost per cybercrime report was over $39,000 for small businesses, $88,000 for medium businesses and $62,000 for large businesses.

With these statistics in mind, it is important that you take steps to minimise the risk of cybercrime affecting your business.

What Steps Can I Take To Reduce the Risk of Cybercrime Affecting My Business?

Cyber security is something that all organisation leaders need to be well informed about and should not be relying solely on an IT department or an external IT company. Business managers have the responsibility of ensuring that the cyber security controls implemented are sufficient for the business needs.

It is also important to note that a significant portion of security breaches involve the human element (for example, the use of stolen credentials, phishing, or misuse or human error), therefore it is integral that all staff are receiving ongoing cyber security training. There is plenty of guidance and available frameworks to assist you in mitigating the risk for your organisation.

Cyber Security for Small Businesses – Small Business Cyber Security Guide

The Small Business Cyber Security Guide is an Australian guide intended for smaller entities. It uses simple terminology and requires limited technical support, meaning that this would be a good starting point for a small business owner needing to upskill within the cyber security space. Information within this guide includes:

1. Cyber Threats To Be Aware Of

  • Scam messages (phishing) – generally scammers are trying to compromise your account passwords by requesting you to login to your account or enter confidential details through a fake website;
  • Malware – malicious software designed to cause harm, which may involve deleting or corrupting files, stopping devices from working properly or allowing others access to private data; and
  • Ransomware – a dangerous type of malware that works by locking up or encrypting files so you can no longer access them.

2. Software Considerations

  • Automatic updates – helps ensure any security deficiencies are fixed;
  • Automatic backups – will allow you to recover your information if it becomes lost or compromised; and
  • Multi-factor authentication (MFA) – which adds another layer of security.

3. People and Procedures

  • Access control – staff should only have access to required areas/data;
  • Passphrases/passwords – need to be secure, should also consider using a password manager; and
  • Employee training – staff should be provided with updated cyber security training on a regular basis.

Visit the Australian Cyber Security Centre for more information and to download a copy of the small business cyber security guide.

Cyber Security for Medium & Large Businesses – The Essential Eight

The Essential Eight is a cyber security framework developed by the Australian Cyber Security Centre targeted towards medium and large entities. Although this may require a reasonable amount of technical support, implementing these eight essential mitigation strategies as a baseline will make it much harder for cybercriminals to attack your business.

The Essential Eight - Outlining the 8 steps of the Essential Eight

The following form the mitigation strategies of the essential eight:

  1. Application Control: This control involves restricting the execution of unauthorised applications to prevent malware from running on systems.
  2. Patch Applications: This control involves keeping software up-to-date with the latest security patches to prevent known vulnerabilities from being exploited.
  3. Configure Microsoft Office Macro Settings: This control involves configuring Microsoft Office macro settings to prevent macros from running automatically and potentially executing malicious code.
  4. User Application Hardening: This control involves configuring web browsers and email clients to block or warn users about potentially malicious content.
  5. Restrict Administrative Privileges: This control involves restricting administrative privileges to prevent unauthorised changes to systems and data.
  6. Patch Operating Systems: This control involves keeping operating systems up-to-date with the latest security patches to prevent known vulnerabilities from being exploited.
  7. Multifactor Authentication: This control involves implementing multi-factor authentication to prevent unauthorized access to systems and data.
  8. Regular Backups: This control involves backing up important data daily to ensure that it can be recovered in the event of a cyberattack.

Visit the Australian Cyber Security Centre to access more information about the Essential Eight.

Information for Larger Organisations

Larger organisations are going to require more in-depth cyber security controls and may consider applying the following:

  • ISO 27001: International standards focused on information security.
  • Information Security Manual: Australian based cyber security framework that organisations can apply, using their risk management framework, to protect their information and systems.

Seek Support

We are not cyber security experts but are here to listen to you and support your business. If you would like to discuss your business with our Business Advisory team, please contact our offices on (03) 5221 6399 or at

This article was written by Auditor Olivia Hoskin.

Disclaimer: this information is of a general nature and should not be viewed as representing financial advice. Users of this information are encouraged to seek further advice if they are unclear as to the meaning of anything contained in this article. Davidsons accepts no responsibility for any loss suffered as a result of any party using or relying on this article.

Additional Sources:

ACSC Annual Cyber Threat Report, July 2021 to June 2022 |

Critical Cyber Crime Statistics in Australia 2023 – eftsure