Brought to you by:

'I should, but I haven't': micro businesses oblivious to cyber

Facebook Twitter LinkedIn Google

Small businesses with turnover under $10 million a year are largely ignoring cyber risk, adopting a “head in the sand” attitude even as attacks escalate and rapid adoption of technology leaves them exposed, Cameron Research says.

As SMEs embraced “seven years of tech change and innovation” in just two years due to covid, cyber risk management has dramatically failed to keep up, Cameron Research Project Director Ross Cameron says.

“It is not a particular industry or an age-of-business-owner thing - it is a size of business thing. You have literally just got this huge number of smaller businesses that have no idea,” Mr Cameron tells

“It is an opportunity for brokers in the sense that it is a risk SMEs face that they are not addressing.”

There has been a “stunning lack” of development in thinking and approach to cyber security in this arena, he says. Almost 98% of businesses have 19 employees or less, and while selling cyber insurance might be challenging, the issue presents an important chance for brokers to initiate conversations and educate.

"There are an enormous number of them in this area - they are just clueless, nowhere. There is an issue for insurers to come up with coverage that suits them and without question it is an opportunity,” Mr Cameron said.

“The broker can really be a forward thinker and leader, really open the business owner’s eyes to something they are probably in denial of having to address.”

It is a “quirk and concern” that even staff working from home has had no significant impact on cyber security behaviour – the research finding perspectives have not shifted despite “so widely and warmly” embracing technology.

Many SMEs presume suppliers of services such as Google, banks and Xero have taken care of it.

“I am not convinced that is the case and the business owner has absolutely no idea - their attitudes haven’t changed,” Mr Cameron said. “Certainly they need to just open their eyes up to it a little bit.”

Various examples of small business owner commentary reveal many realise they should be more attuned to cyber security.

“I’ve done nothing. We should change all our passwords et cetera and spend some time on internet security but we haven’t,” a training sole trader told Cameron Research.

“I don’t really feel that I’ve got it under control. I am just blissfully ignorant as to the real risk,” a communications consultant added.

“I guess we use whatever’s built in – like your web-banking and stuff like that,” a bar owner said.

“I don’t even know where to start. All our information is stored in the cloud in the Mindbody system. Is it their responsibility or is it my responsibility?,” a fitness business owner said.

Mr Cameron says a starting point is alerting micro businesses to the problem in order to move forward.

“At the moment there is just no awareness at that smaller end of the market that there is an issue,” he said.