Think HBR


Mark Bramley
Arthur J. Gallagher
You can easily be forgiven for downplaying the risk of a cyber-attack. After all, most of the headlines surrounding these attacks centre on major household brands, or top-end-of-town corporations. What does a small business have to worry about?
Well, unfortunately, there’s plenty. Just think of the WannaCry ransomware attack that swept the globe in May, infecting nearly 250,000 computers in more than 150 countries! Australia was lucky to miss the worst of it, but there's no room for complacency.
Small business is definitely not immune. Fortunately you can be better prepared. Cyber security experts are aware of the common ways criminals gain a foothold in or attack organisations, and whether it’s technical weakness, human error, or brute force there are some risks to look out for.
Malware: today’s primary cyber threat, malicious software is constantly evolving, and now includes ransomware: a tool used to extort money out of businesses by locking them out of their devices or files and often threatening them with deletion.
Hacking: a ‘hack attack’ typically involves cyber criminals trying to modify or alter computer software and hardware, or steal sensitive information that they can later use to either damage stakeholders, or profit from on the open market.
Phishing attacks: criminals attempt to obtain sensitive information for malicious reasons through phishing attacks when they masquerade as trustworthy entities in electronic communications. Used as a first step, phishing attacks are becoming increasingly sophisticated.
DDoS attacks: through a Distributed Denial of Service Attack, cyber criminals essentially block access to a website they want to target by inundating it with traffic from multiple, compromised systems, rendering it inaccessible to users.
CEO invoice fraud: hackers assume the digital identities of C-Suite employees to influence others to break normal financial security procedures around paying invoices. This has the potential to disrupt any business that fails to follow stringent accounting sign-off processes.
Typical follow-up actions in the event of a cyber breach include forensic IT investigation, data restoration, replacement of compromised devices, legal representation, potential privacy fines and penalties, and of course, reputational damage. 
Four simple ways to minimise cyber exposures
All businesses can minimise their cyber security exposures in the following ways:-
• Do not open attachments or click on links in emails from unknown senders
• Develop a cyber breach response plan, and educate all staff on what to do in the event of a breach
• Adopt best practice information security procedures, including firewalls, regular patching, application whitelisting, virus protection, restricted admin privileges, encryption and offsite data back-up
• Factor cyber insurance cover into your business’s insurance program
Cyber insurance will not stop cyber-attacks from happening, but can be invaluable in helping to recover lost costs associated with such attacks – including loss of business income brought about by the inability to trade throughout the duration of the attack. As such, it should form part of every business’s holistic approach to handling cyber security threats.
Make no mistake, cyber criminals are probably the greatest innovators in the IT space today. Your data has value, as does your reputation, so the better your security measures and safety nets, the better chance you have of bouncing back in the event of a breach.
A free guide to assist you in setting up a data breach response plan for your business is available at
For further information contact Arthur J Gallagher on (02) 4979 3333, email or visit
Mark Bramley Mark Bramley
Mark Bramley is an Area Director at Gallagher and has worked in the financial services industry for more than two decades.