)
Small business insurance provider BizCover has witnessed an almost 50 per cent rise in sales of cyber liability cover in the past year and expects demand to continue to climb as threats evolve and penalties tighten, after one cybercrime incident was reported every six minutes on average in FY24.
The Australian Signals Directorate revealed in November that there were 87,400 cybercrime reports in FY24 with $84 million in business email compromise (BEC) losses self-reported to ReportCyber.
Average losses per incident went down for medium and large businesses by 35 per cent and 11 per cent respectively, but for small businesses the figure was up 8 per cent at $49,600.
The government body is yet to release its report for FY25, and there have been some positive signs in the space with Commonwealth Bank (ASX: CBA) reporting a 76 per cent drop in scam losses over the past two-and-a-half years, but the latest data from BizCover shows businesses are taking the threat much more seriously.
"The fallout from a cyberattack can have serious consequences for a small business," says BizCover virtual chief information officer Akshaye Kalkura.
"Without cyber liability cover, they are exposed to operational disruption if their systems are taken offline, financial losses from investigations, legal fees, data recovery and lost income, as well as reputational damage if customer or supplier data is compromised."
Cyberattacks on small businesses can take many forms, from ransomware and phishing scams to invoice fraud and accidental data leaks.
"One of the most common reasons that business owners don’t take out cyber liability cover is because they believe they’re ‘too small’ to be a target," says Kalkura.
"This couldn’t be further from the truth, as small businesses are often targeted because they don’t have the same strong cybersecurity measures in place as larger organisations. Email compromise, fake invoices and simple human error all contribute to small businesses becoming the victims of cyberattacks.
"With greater understanding of the threat landscape comes more focus on cybersecurity measures, including insurance; and heavier penalties for data privacy breaches mean that businesses aren’t willing to take chances when it comes to protecting customer data. They know what’s at stake."
The news of this massive spike in insurance plans - up 85 per cent since 2022 and 49.5 per cent over the past year at BizCover - comes after Cyber Security Awareness Month kicked off yesterday.
International IT governance association ISACA recently released its 2025 State of Cybersecurity Report which found Australian cybersecurity teams were stretched thin with 54 per cent reporting they were understaffed.
Meanwhile, 55 per cent of Australian respondents in ISACA's survey said more than half of their current staff transitioned from non-security roles, amidst a persistence of challenges with hiring and retention.
More than a third of respondents said it took three to six months to hire for entry-level roles, while 48 per cent reported the same timeframe for non-entry-level roles which is far higher than the global average of 39 per cent.
In Australia, social engineering, insider attacks and denial of service dominate the threat landscape, each cited by 33 per cent of respondents as the most common attack types, with 41 per cent per cent also reporting more attacks compared to a year ago - a sharp rise from 29 per cent in 2024.
While 50 per cent of Australian cybersecurity professionals believe an attack on their organisation is likely or very likely in the next year, only 35 per cent are confident in their team’s incident response capabilities.
Additionally, 45 per cent believe cybercrime is underreported, even when reporting is required.
ISACA board president Jamie Norton the findings highlight the scale of the challenge in Australia and how organisations are managing staffing shortages, tight budgets, rising threat volumes and rapid AI adoption.
"The fact that stress levels are still climbing is a red flag for our industry," says Norton. "If we are to remain resilient in the face of rising threats, boards must continue to prioritise the wellbeing and development of their cyber teams."
Jo Stewart-Rattray, ISACA’s Oceania ambassador, says the results should spur boards to rebuild the talent pipeline and protect training budgets despite economic pressure.
"Australia can’t hire its way out of a skill gap this deep," says Stewart-Rattray. "The data shows fewer organisations are training non-security staff into cyber roles, even though most organisations acknowledge they are under-staffed. This approach is unsustainable. Boards need to prioritise cyber training and cross-skilling programs and recognise that developing people is the fastest, most sustainable path to resilience."
)
