Too many Australian businesses have their “heads in the sand” when it comes to cyber dangers, according to Aon.

Some companies have taken huge strides strengthening their digital defences, but overall the situation is one of underinvestment, especially among smaller businesses.

“There are still too many organisations with their heads in the sand… Australian businesses have a long way to go,” Aon National Cyber Risk Practice Lead Fergus Brooks told insuranceNEWS.com.au.

“In general, organisations are maintaining a traditional approach of doing what they can with a limited, allocated budget.

“Many Australian companies consider themselves too small to attract a cyber-attack. However, smaller business don’t tend to have the dedicated cyber-security resources that larger organisations have in place, making them a softer target.”

The stakes will rise when the Notifiable Data Breaches scheme starts on February 22, affecting organisations that the Privacy Act requires to secure certain categories of personal information. They must inform individuals if personal information is involved in a data breach that could result in serious harm.

“Organisations that do not adequately protect sensitive data will be in the spotlight and could face substantial fines and penalties, legal action and damage to brand and reputation… many businesses are underprepared,” Mr Brooks said.

Globally, companies will enhance their cyber defences as digital threats escalate and grow more sophisticated, according to an Aon report.

Chief risk officers will take centre stage and demand for tailor-made standalone cyber covers will increase.

The report predicts multi-factor authentication will become more mainstream as passwords and physical biometrics no longer provide adequate security.

“Heightened concern among executives over liability, and the financial and operational impact of cyber risk, will drive changes in the insurance market,” Aon Cyber Solutions CEO Jason Hogg said.

“Today’s silo-driven approach to cyber risk management will begin to disintegrate [this year], in favour of a co-ordinated C-suite-driven approach as leading companies begin to view the impact of cyber risk holistically across all functions of the enterprise.”