Human error an overlooked cyber risk for SMEs

As cyber risk for Australian small businesses continues to grow, there’s one area of risk that many may be ignoring: their employees.

“Human error is a huge source of cyberattacks and data breaches,” says Brad Miller, general manager and co-founder of BizCover, Australia’s leading small business insurance platform. “Many malicious attacks, like ransomware and system hacks, start with someone making a simple mistake.”

This view is supported by data collected by the Office of the Australian Information Commissioner (OAIC). Between 25-33 per cent of breaches reported to the OAIC from January 2021 to June 2024 were attributed to human error. These reached a high of 41 per cent of breaches notified during the July to December 2021 reporting period.

A business’ employees are in many ways their first and last defence against cyberattacks. However, a major area where many SMEs are lagging is in cybersecurity training.

Only 38 per cent of small businesses surveyed by Cyber Wardens reported that their staff receive cybersecurity training, and 53 per cent “can’t recall a time cyber security has been discussed in the workplace”.

However, cyber education should be an essential part of any SMEs cybersecurity plan.

Cybercriminals are pros at finding the weakest links in an organisation, and all too often employees are their way in. Phishing, the third-most reported scam to ScamWatch in 2024, relies on people making a mistake or poor judgement call.

Miller explains: “You get an email that appears to be from someone you trust – your boss, a supplier, your commercial landlord. They ask you to click a link, verify login details, or transfer money to a new account. Except the email is not from them; it’s from a cybercriminal ready to use those details to steal data, money, or both.”

Phishing and other social engineering attacks may also play on the receiver’s emotions. They might create a false sense of urgency, hoping you’ll act before verifying the information in the message.

“Small business owners should seriously consider making cybersecurity training a priority,” says Miller. “Many cyberattacks, data breaches, and scams can be prevented if you and your employees learn to recognise them.”

While cyber training is important for SMEs, it’s only one part of a robust cyber security plan. Other measures, like employing multi-factor authentication (MFA), doing away with shared passwords, and patching software immediately, are also key to protecting a business’ data.

Cyber Liability insurance* can also play a part in helping small businesses manage cyber risk and cyberattacks.

For SMEs, the financial support and resources provided by Cyber Liability insurance can be critical following a cyberattack.

“Cyber incidents are often expensive, creating unplanned bills related to investigating the cause of a breach, restoring data, and notifying affected customers,” says Miller.

“A Cyber Liability policy can help small businesses handle these costs. They also offer 24-hour incident response services that connect business owners with all-important resources to help minimise the damage and get back to business as usual as quickly as possible.”

The latest figures released by the Australian Signals Directorate (ASD) reveal the average cost of cybercrime for small business was $49,600 in FY24 – an 8 per cent increase on the previous financial year.

Furthermore, the Cyber Wardens survey found that 31 per cent of those surveyed had low or no confidence in their ability to find help after a cyberattack, and 39 per cent strongly doubted that they could recover after an incident.

“Cyber Liability insurance can play a critical role alongside cyber education and preventative security measures in protecting small businesses,” says Miller. “A policy may give SMEs added peace of mind and confidence that they can successfully manage and recover after a cyberattack.”

*This information is general only and does not take into account your objectives, financial situation or needs. It should not be relied upon as advice. As with any insurance, cover will be subject to the terms, conditions and exclusions contained in the policy wording.

© 2025 BizCover Pty Limited, all rights reserved. ABN 68 127 707 975; AFSL 501769