Cyber attacks cost Australian SMEs an average of $1.9 million, but there’s “hidden” costs too

coronavirus tax relief

Australian businesses that employ between 100 and 500 employees can expect to shell out approximately $1.9 million if hit by a cyber attack, according to research released this week by global cyber security firm Webroot.

However, experts warn the costs to businesses of a cyber attack or email scam are not purely financial: there’s reputations at stake too.

Webroot surveyed 600 IT decision makers in SMEs in Australia, the US and UK in May this year to calculate the average cost to a business of a cyber attack.

In Australia, that figure is $1.89 million, with half of the Australian respondents to the survey indicating that their business would face costs of more than $1.3 million if customer records or critical business data were lost.

In the US, the average cost was estimated to by $US579,099, while the UK average came in at £737,677.

The same survey found 94% of Australian firms with between 100 and 500 employees are increasing their IT security budgets, by an average of 12%, and 60% of the same businesses believe they are not prepared to deal with a potential cyber attack.

The costs to a business of a cyber attack are not purely financial — and this is also front of mind for the businesses surveyed by Webroot. Seventy-five percent of the Australian firms surveyed said it would be harder to restore their business’ public image in the event of an attack, compared with restoring employee trust and morale.

Company reputations are also at stake in the event of “brandjacking scams” or email impersonation scams that attempt to dupe their customers into paying fake invoices or giving up their personal details.

Rarely a week goes by without one of Australia’s large telecommunications or energy companies being hit by an email scam. Australian government departments and bodies are also not immune, with small and medium businesses previously being warned about fake email invoices impersonating the Australian Taxation Office, the Australian Securities and Investments Commission and the Australian Competition and Consumer Commission.

Read more: Massive Origin Energy scam email sent to a quarter of Australian businesses

In June, email security software provider MailGuard reported seeing a 400% increase in these email attacks, while data released from the ACCC in May showed that Australians lost $300 million to scams and fraudulent activity in 2016. Of that amount, businesses reportedly lost $3.78 million.

While it is most common to see “brandjacking” email scams targeted at the big end of town, MailGuard chief executive Craig McDonald told SmartCompany these scams pose an “enormous” risk to small and medium businesses, perhaps even more so than to larger brands.

When you’re a large, established brand you have built up loyalty and credibility over a long time.,” McDonald says.

But SMEs don’t have the same luxury, he says.

“Any type of cyber attack — whether it impacts the SMB or impersonates it — can seriously undermine their reputation, and discourage customers and suppliers from doing business with them,” he adds.

Gerry McCusker, an issues management and public relations specialist, agrees, telling SmartCompany all businesses that use the internet are vulnerable to cyber threats and scams. His own business, Engage ORM, which deals with reputation management, suffered a website hack around five months ago.

McCusker believes the incident was a case of someone “making a point”. It didn’t result in a financial loss to the business but is believed to have occurred through a sign-up form on the business’ website. These lead generation forms can “slightly open doors” to potential scammers, says McCusker.

McCusker says when businesses invest in online processes and services, they are inevitability also investing the goodwill and trust of their brands. Any risk to this reputation, therefore, needs to be front of mind.

“Online may be fast, but it’s not fail-safe,” says McCusker.

“My observation is businesses need to be aware of the lifecycle costs of being online. It’s like when you buy a car and you have [to pay for] maintenance and updates.”

In McCusker’s case, the business already had an established relationship with an IT specialist, who was able to quickly resolve the issue.

It shows the value in having a reliable expert you can call on in the event of an attack, says McCusker.

“Speak to an IT troubleshooter in peace time, so when you pick up the phone [to report a cyber attack] they can respond quickly,” he says.

Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on TwitterFacebookLinkedIn and Instagram.


Notify of
Inline Feedbacks
View all comments
SmartCompany Plus

Sign in

To connect a sign in method the email must match the one on your SmartCompany Plus account.
Or use your email
Forgot your password?

Want some assistance?

Contact us on: or call the hotline: +61 (03) 8623 9900.