We're a Baker Tilly network member
About Baker Tilly
Back to top
Busting the small business data breach myths
Article

Busting the small business data breach myths

Why would a sophisticated cyberattacker want to target a small business like mine?

It’s one of the most frequent questions I hear in conversations with clients and one that is full of misunderstandings.

There is often a state of hyper-alertness following high-profile data breaches on big organisations that have exposed the information of millions of people.

The cost of each cyberattack and data breach averaged around $3.35 million in Australia in 2020, and they have a long tail, with estimates that in some cases almost half of the costs are incurred 12 months after the attack.

But at the same time, high profile attacks draw a feeling of relief within small and medium-sized business, who are grateful that they don’t have the volumes of personal information and cash of big firms, so they believe they will never be hit.

The problem with the opening question is three assumptions behind it – that attackers can’t be bothered with small outfits, the notion of sophistication, and an unawareness of the value held by small and medium businesses.

Myth 1: SMBs are not cyber targets

Information gathered by the Office of Australian Information Commissioner shows that, in the six months to December 2021, 96% of data breaches affected 5000 individuals or fewer, and 71% affected 100 people or fewer.

That’s right in the small business ballpark.

Pitcher Partners’ recent Business Radar 2022 report revealed that a quarter of mid-market businesses have experienced a cyberattack of some kind, everything from text message phishing to ransomware attacks.

However, the real number may be even higher and many mid-market businesses may be reluctant to speak up through fear or embarrassment.

Others may have been compromised and just don’t know yet. I’m aware of one company which had no reason to suspect a data breach until the police showed up on their doorstep. Criminals had been lurking in their networks for 12 months and data linked to the company had been found.

Cyberattacks and data breaches hit small and medium businesses more often than big businesses simply because they are more vulnerable.

Myth 2: ‘Sophisticated’ cybercriminals

Small businesses don’t necessarily have millions of dollars in the bank, but they still have two things that attackers want – data and connections.

In the mind of the community, cyberattacks conjure pictures of teams of tech-savvy crooks writing code in a basement to crack open banks and cash-rich businesses.

For sure, there are instances where cyber criminals are sophisticated outfits. But they are far more likely to share a trait with every other common crook – they are opportunists.

The reality is they simply take advantage of a security gap or exploit a known vulnerability from running old, unpatched software.

Very little in cyberspace is sophisticated – often, breaches start with people disclosing passwords.

Myth 3: My company isn’t valuable enough

A cash ransom is not always the end game. Reconnaissance is equally important.

Information gained from smaller, more easily accessible organisations about systems and networks is preparation for more lucrative operations.

If your small operation supplies a big mining company or major manufacturer, who does it make more sense to target in the first instance?

Attackers gather details about systems, expose client relationships and can gather confidential information about directors, partners and other stakeholders.

There is also vital data concerning customers and suppliers such as identification, as we have seen in recent breaches of high-profile companies.

If you are the weak link that allowed an attacker to break in, will businesses and customers still want to keep working with your business?

Simple steps to prepare, defend and act

Most attacks are preventable and business leaders need to focus on what they can control.

Identify the most critical data assets and take every reasonable measure to ensure they are protected, rather than be overwhelmed by trying to cover all bases to the same depth.

Ensure that the business will actually know when a breach has occurred. Without this element, it may be months before an organisation is even aware of an attack, let alone how much it has been compromised.

Finally, have an action plan prepared if a breach does occur.

The plan needs to be detailed because the response to different attacks will vary, and business leaders need to know their regulatory obligations and notification requirements.

Data breach threats have been around for quite some time, yet myths persist that serve to excuse business leaders from preparing.

Cyberattacks are not about necessarily exploiting the wealthiest, but the businesses more likely to underspend in their digital protection.

This content is general commentary only and does not constitute advice. Before making any decision or taking any action in relation to the content, you should consult your professional advisor. To the maximum extent permitted by law, neither Pitcher Partners or its affiliated entities, nor any of our employees will be liable for any loss, damage, liability or claim whatsoever suffered or incurred arising directly or indirectly out of the use or reliance on the material contained in this content. Pitcher Partners is an association of independent firms. Pitcher Partners is a member of the global network of Baker Tilly International Limited, the members of which are separate and independent legal entities. Liability limited by a scheme approved under professional standards legislation.

Our experts

asdfafsdfa Andrew Beitz

Andrew Beitz

Principal

Adelaide


View profile
asdfafsdfa Norman Thurecht

Norman Thurecht

Managing Partner

Brisbane


View profile
asdfafsdfa Rob McKie

Rob McKie

Consultant

Melbourne


View profile
asdfafsdfa Scott Edden

Scott Edden

Partner

Newcastle and Hunter


View profile
asdfafsdfa Adam Irwin

Adam Irwin

Managing Partner

Sydney


View profile

Pitcher Partners insights

Get the latest Pitcher Partners updates direct to your inbox

Thank you for you interest

How can we help you?

Business or personal advice
General information
Career information
Media enquiries
Contact expert
Become a member
Specialist query
Please provide as much detail to ensure appropriate allocation of your query
Please highlight a realistic time frame that will enable us to provide advice within a suitable and timely manner. Please note given conflicting demands with our senior personnel, we will endeavour to respond to you within the nominated time frame. If you require an urgent response, please contact us on 03 8610 5477.
Responses to queries submitted via this form (“Response”) are produced by Pitcher Partners Advisors Proprietary Limited and are prepared for the exclusive use and benefit of those who are invited, and agree, to participate in the CRITICAL POINT NETWORK service. Responses provided, or any part thereof, must not be distributed, copied, used, or relied on by any other person, without our prior written consent. Any information provided is intended to be of a general nature and prepared without taking into account your objectives, circumstances, financial situation or particular needs. Any information provided does not constitute personal advice. If you act on anything contained in a Response without seeking personal advice you do so at your own risk. In providing this information, we are not purporting to act as solicitors or provide legal advice. Any information provided by us is prepared in the ordinary course of our profession and is based on the relevant law and its interpretations by relevant authorities as it stands at the time the information is provided. Any changes or modifications to the law and/or its interpretation after this time could affect the information we provide. It is not possible to guarantee that the tax authorities will not challenge a transaction or to guarantee the outcome of such a challenge if one is raised on the basis of the information we provide. To the maximum extent permitted by law, Pitcher Partners will not be liable for any loss, damage, liability or claim whatsoever suffered or incurred by any person arising directly or indirectly out of the use or reliance on the information contained within a Response. We recommend you seek a formal engagement of our professional services to consider the appropriateness of the information in a Response having regard to your objectives, circumstances, financial situation or needs before proceeding with any financial decisions. Pitcher Partners is an association of independent firms. Pitcher Partners is a member of the global network of Baker Tilly International Limited, the members of which are separate and independent legal entities. Liability limited by a scheme approved under professional standards legislation.
CPN Enquiry
Business Radar 2025
Dealmakers 2025
Federal Budget 2025-26
Search by industry