The second annual Chubb Australia SME Cyber Preparedness Report 2019 – “Ignorance is Risk” – released recently, reveals 47 per cent of small and medium enterprises (SMEs) in Australia are not aware of their obligations under the Notifiable Data Breaches (NDB) scheme.This follows the introduction of the NDB scheme by the Office of the Australian Information Commissioner (OAIC) in February 2018, which requires businesses covered under the Privacy Act to report data breaches involving personal information.
“While larger companies seem to understand their obligations, SMEs are less clear,” said Andrew Taylor, Cyber Underwriting Manager, Chubb Asia Pacific. The report found that many SMEs do not understand precisely what type of data breaches require notification.
“This is a huge cause for concern. A cyber incident can be catastrophic for a smaller organisation, and this lack of understanding around reporting obligations raises the stakes further. While the NDB scheme is receiving more notifications, it is highly likely that many more breaches have gone – and continue to go – unreported.”
The NDB scheme received 967 breach notifications between 1 July 2018 through to 30 June 2019.
In 2019, one in two (49 per cent) SMEs said they had been the victim of a cyber incident, down on the previous year where 64 per cent had fallen victim. Rather than continuing to be vigilant, the findings suggest that SMEs have become overly confident when it comes to their cyber risk preparedness, with one in three (32 per cent) senior leaders assuming their businesses will never experience a cyber incident. SMEs also are less worried about the impact on their business, with significant drops across four key areas of concern:
Relationship with customers
Revenue and sales
Cost of the incident
Increased awareness but still unprepared
Fewer leaders (31 per cent) feel that their employees do not recognise how serious the threat of cyber risk is to their business, down from 45 per cent in 2018.
However, several other findings reveal that there is still a long way to go:
Close to half (49 per cent) of SMEs do not have a data breach response plan.
79 per cent are confident they can overcome a breach by sophisticated hackers within 24-hours.
Only 43 per cent of SMEs in Australia are investing in cyber risk training for their employees.
Just over one quarter (27 per cent) of SMEs have cyber risk insurance
“We believe Australian SMEs must review their preparations closely and ensure they are adequately equipped to manage cyber risk.” said John DePeters, Cyber and Technology Industry Practice Manager, Australia and New Zealand. “In the coming years, the global economic cost of cyber risk is forecast to increase substantially. With SMEs making up 96 per cent of all businesses in Australia, they will be hardest hit.
DePeters added, “We hope our research can raise awareness around cyber preparedness and emphasise to SMEs that, when it comes to cyber incidents, ignorance is risk not bliss.”