Contact Us
cyber security for small businesses

The importance of cybersecurity for Australian small businesses

Risk Management

21 Mar 2025 (Last updated 30 June 2025)

Share on:

The increase in sophisticated and well-disguised cyber threats has become a concern for small to medium sized business owners.

Analysts predict by 2025; cybercrime will cost the world economy around $10.5 trillion annually. If it were measured as a country, cybercrime would be the world’s third largest economy after the U.S. and China.

Cyber attacks, email and text phishing scams, malware, and distributed denial of service (DDoS), an attack designed to force a website, computer, or online service offline, cost Australians $3.1 billion in 2022.

The Australian Cyber Security Centre (ACSC) found the average cost per cybercrime was $49,600 for small business, $62,800 for medium business and $63,600 for large business in 2023-24.

Why cybercriminals target SMEs

Just like large organisations, your small business collects customer data and sensitive information such as first and last names, home and email addresses, and phone numbers. Depending on your business you may also have financial or medical information about your customers, clients, or patients.

This business-critical information is just as valuable to cybercriminals as it is to you. Keeping information about your business and customers secure is not just essential, it’s a legal requirement.

While many people believe cybercriminals focus mainly on large organisations such as banks and telecommunication companies – as they’re the ones that make the news when a breach happens – the truth is, they see SME as easier targets.

Unlike large businesses with dedicated cyber security teams and leading-edge security systems, small and medium sized enterprises often do not have the IT infrastructure to prevent an attack. They also rarely implement stringent cybersecurity protocols or have the internal resources to properly train employees to understand the risks of cybercrime.

Protecting your business

ACSC offers some simple and cost-effective ways you can improve your security. These include:

  • Turning on multi-factor authentication (MFA) wherever possible.
  • Use a password manager to create and store unique passwords or passphrases.
  • Ensure employees or contractors can access only what they need for their role. Sometimes referred to as Zero Trust Network Access (ZTNA).
  • Educate employees on protocols when opening attachments or sending sensitive information. Include this in your onboarding process for new employees.

To protect your devices and information:

  • Turn on automatic updates for your devices and software so any lost information can be recovered quickly.
  • Set up security software to complete regular scans on your devices.
  • Speak to an IT professional about ways to secure your network. This could include penetration testing to find and fix network vulnerabilities.
  • Perform a factory reset before selling or disposing of business devices.
  • Configure devices to automatically lock after a short time of inactivity.
  • Understand the data your business holds and your responsibilities to protect it.

Understanding the main causes of a data breach:

A data breach can usually be divided into three categories:

Cyber Attack

  • Phishing scam - email and text scam messages.
  • Ransomware / Malware – demanding payment for the release or return of data.
  • Online Identity Fraud – impersonating someone in your organisation or associates (also known as a bad actor) to obtain Personal Identifiable Information (PII).
  • Distributed Denial-of-Service (DDoS) - this floods your website with traffic to prevent users from accessing online services and sites.

Human Error

  • Failure to configure devices correctly - especially devices used by remote or hybrid employees.
  • Opening a scam email or website.
  • An intentional data breach by a disgruntled or ex-employee.
  • Not correctly following or updating security protocols.

Physical Attack

  • Theft of documents or devices.
  • Incorrect wiping of data before correctly disposing of older devices.
  • Skimming card or device.

In addition to potential data loss, the cost of lost productivity and revenue due to downtime, there’s the reputational damage to your business.

More than money

But even more important than the financial cost is the toll a cyber attack can take on the mental health and wellbeing of a business owner and employees.

Scams can have a long-lasting and traumatic impact on people’s mental health. People that are victims of online scams feel stressed, embarrassed, and ashamed, often blaming themselves, which can impact their confidence using technology.

A cyber breach can severely affect personal and professional relationships, increase stress with the fear it may happen again, and elevate workloads as business owners and employees work additional hours in an attempt to recover lost sales and income.

Providing support to your employees can alleviate their concerns and enhance morale.

Cyberattacks are common among small businesses and can be devastating. By having a recovery plan in place and reinforcing your security protocols, you can minimise the damage to your business, employees, and yourself. For advice on how you can help the mental health of your employees contact the team at Peninsula.

Related Blog Articles

Risk Management

Manual Handling: The Hidden Health & Safety Danger

When you think of workplace health and safety hazards, your first thoughts are probably of dangerous heights, unsafe machinery, or hazardous chemicals.  It may surprise you to learn that manual handling is consistently one of the highest risks at the workplace. In the 2018-19 financial year, over 41,000 claims were reported. This accounted for 36% of all serious claims lodged that year, beating falls, trips and slips of a person (23% of all claims) and being hit by moving objects (16%) as the highest cause of all claims.  What is manual handling? Manual handling is an umbrella term for manual tasks – like pushing, pulling or lifting – that almost all employees perform in their roles.  Some roles require intense and repetitive physical exertion; roles in the construction and removalist industries are two that come quickly to mind. The risk manual handling poses to health and safety in these roles is fairly clear but there are many common examples of manual handling where the risks may appear to be minimal (and they often are).  A lawyer writing documents on a computer, for example, is performing manual handling when they type on their keyboard. A bartender performs manual handling when they pick up a tray of beer glasses to put in the dishwasher. While these tasks are menial, repetitive or awkward movements poor technique or an unbalanced or unstable load can lead to an injury (e.g. a repetitive strain injury from typing, or from making coffee).  While it is clear to see the risks posed by intense manual handling, employers need to understand that relatively menial manual handling tasks can still pose a significant risk to health and safety.  Outcomes of poor manual handling Poor manual handling over time, or due to one event, can be the cause of a musculoskeletal disorder (MSD) in one of your employees. The musculoskeletal system supports and protects the body and is made up of the bones of the skeleton, muscles, cartilage, tendons, ligaments, joints and other connective tissues that support and bind tissues and organs together.  MSD can range from major injuries caused immediately such as broken bones and strained ligaments, to chronic injuries due to a history of an employee using poor manual handling techniques.  According to SafeWork Australia, examples of MSD include:  Sprains and strains of muscles, ligaments and tendons.  Back injuries including damage to the muscles, tendons, ligaments, spinal discs, nerves, joints and bones.  Joint and bone injuries or degeneration, including injuries to the shoulder, elbow, wrist, hip, knee, ankle, hands and feet.  Nerve injuries or compression (for example carpal tunnel syndrome).  Muscular and vascular disorders as a result of hand-arm vibration.  Soft tissue injuries such as hernias.  Chronic pain (pain that lasts longer than three months).  Acute pain (pain that lasts less than three months).  MSD can range from short-term disorders that cause either minor or major injury, to long-term injuries that can be the result of ongoing, poor manual handling techniques.   Preventing MSD A wide range of tasks that fall under manual handling, meaning employers may find it difficult to manage or even identify what manual handling tasks may pose a serious risk to your staff.  As such, a wide-ranging risk assessment in your workplace is the best option available to employers to identify, assess and control the risk of hazardous manual handling.   Hazardous risks you may identify include heavy or unbalanced loads, machinery that produces strong vibration, such as a lawnmower or jackhammer, or heavy objects that are moved often, such as a trolley or vacuum cleaner.   MSD may also be caused from repetitive, low-impact actions or behaviours such as typing, carrying light objects, slipping while walking or poor posture when sitting at a desk. Rather than teaching employees to change their behaviour eg. ‘safe’ lifting techniques, employers need to do as much as they reasonably can to identify and control risks, considering all aspects of the employee’s work to provide a healthy and safe workplace.  Peninsula has free documentation available for employers to help them work towards compliance in respect to their workplace health and safety obligations.

Risk Management

What is a Risk Assessment?

A risk assessment is a systematic process of evaluating the potential risks that may be involved in an activity, especially in terms of workplace health and safety.There are generally three major questions which are asked when conducting a risk assessment: What hazards exist that may cause harm? How severe would the harm be? How likely is the harm to occur?’ Once this evaluation is made, the next step is to consider what could be put in place to either eliminate or reduce the risk as much as possible. Why is risk assessment important? A risk assessment ensures that you are able to identify all hazards in the workplace which may lead to an injury or illness. Once risks are identified, the business is then able to review the best measures to eliminate the risk completely or implement control measures to minimise the likelihood of an injury/illness occurring. Risk assessments are highly important as they can assist to: create awareness of hazards and risks identify who may be at risk determine whether there are existing and adequate control measures in place What is the purpose of a risk assessment? The purpose of a risk assessment is to identify hazards in the workplace in order to implement control measures that can eliminate or minimise risks as much as possible. This, in turn, will help with providing a safer working environment. Risk assessments should be completed in consultation with workers. This will assist in identifying hazards which may normally go unnoticed. What are the benefits of a risk assessment? The greatest benefit of a risk assessment is ensuring safety within your workplace. A comprehensive risk assessment may prevent, or in the very least minimise, workplace injuries or illnesses. Other benefits of risk assessments may include: Cost-saving The right control measures should reduce injuries or illnesses occurring in the workplace, which will cause a reduction in workers compensation claims, absenteeism, and reactive measures. Employee loyalty Placing a strong emphasis on risk assessments may convey to your employees that you take their safety seriously. This can result in greater loyalty from their end. How to conduct a risk assessment? While there are many different ways to capture risk in the workplace, generally a risk assessment will have four steps: Step 1: Identify hazards Thoroughly assess the workplace to identify hazards – both existing and potential. This can be completed by creating a list of hazards and current control measures the business has in place. It is always good practice to consult your employees in this stage. Your employees are directly encountering these hazards – consulting them can shed invaluable and in-depth insights. Step 2: Assess the risk Once the hazards have been identified, the degree of risk they present needs to be determined. This entails pre-empting how these hazards can cause potential injury in different situations and conditions. During this step, the business should consider how likely it is that someone will be harmed and how serious the resulting injury may be. In this stage, we should also consider if the current control measures the business have in effect are reducing risk. Step 3: Control the risk After conducting a thorough assessment of the risk, the business should then look at processes to eliminate or reduce the risk as much as possible. The business should use the hierarchy of control measures to do this. This starts with elimination as the first option and works through the different options to the lowest control which is personal protective equipment (PPE). It should be noted that the PPE should be one of the last considerations when reviewing risks. Step 4: Review The business should review the effectiveness of the control measures once it has been implemented. In this step we should consider if the measure is fit for the purpose it is used for; is it suitable for the nature of the work? Or if something has been installed, has it been set up correctly? Review is an ongoing process, in the event something new is introduced into the environment the business may need to consider if their control measure is the most effective for their business.

Risk Management

Alcohol or Drug Testing in the Workplace

Employers have a responsibility under health and safety legislation to provide a safe working environment for all employees, contractors, and visitors. This includes a workplace which is free from drugs and alcohol, so when is it acceptable to drug or alcohol test your employees? When can you test employees? If an employer is reasonably suspicious an employee is affected by drugs or alcohol while at work, it is acceptable to request the employee undertake a drug or alcohol test in accordance with the company policy. This would be deemed a reasonable management instruction, particularly if the nature of the business is high risk, for example, driving or operating heavy machinery. Can an employee decline a drug or alcohol test? While an employee does have the right to refuse a drug or alcohol test, this can constitute a failure to follow a reasonable management action and can result in disciplinary action. How can you test employees? Employers can test for drugs and alcohol via either an oral saliva test or a urine test. The urine test will pick up particular drugs which are in a person’s system for longer, therefore it will detect the recreational use of drugs rather than those used at work. Saliva testing is a fit for work styled drug test, as it will pick up key drug components and is best used to show whether an employee is actually under the influence while at work. Both tests do have to be sent to a laboratory for final results. Employers cannot request an employee undertake both types of testing. Meaning if the saliva test is chosen, a urine test cannot also be done. Cultivating a drug and alcohol-free workplace culture Policies and procedures must be in place in regards to the prohibition of drugs and alcohol in the workplace. It is not enough to have a zero tolerance policy, employers must ensure their employees are clear on the regularity of drug and alcohol testing, Peninsula can assist with any questions you may have regarding drug or alcohol testing, or implementing a policy for your workplace. Call us today on 1300 651 415 to speak to our team of specialists.

View all blogs

Do you have any questions regarding Risk Management?

International Sites

United Kingdom

Republic of Ireland

Northern Ireland

Scotland

Canada

New Zealand

© 2025 Peninsula Employment Services Ltd. Registered Office: Level 6/180 Thomas St, Sydney NSW 2000

Peninsula Protect is a financial product issued by Peninsula Mutual Limited ACN 630 256 478, AFS Licence No. 544232. Peninsula Mutual Limited has appointed Peninsula Australia Pty Ltd as its Authorised Representative 001274577 to distribute the product and provide general advice. To decide if this product is right for you, please read the Peninsula Protect Product Disclosure Statement (PDS) and Target Market Determination.