This article was originally published by Melbourne Chamber Pitcher Partners and reflects the author's views.

While cybersecurity is a top priority for most mid-market companies, there is some ambiguity regarding who is responsible for cybersecurity. Fifty-four per cent of respondents named the IT team as having some responsibility, while 40 per cent named managers and supervisors, 31 per cent named executive leadership, 31 per cent named all employees, and 19 per cent named owners. Surprisingly, only 16 per cent of respondents believed that the company board is responsible for cybersecurity, despite warnings from the Australian Securities and Investments Commission (ASIC). ASIC chairman Joe Longo said at the start of the year: “From my perspective, I see (cybersecurity) as the top of the house, the board of directors level, issue.’

Size doesn’t deter when it comes to cybercrime

While almost half of those who responded believed their business was not an attractive target, it’s important to note that cyber breaches are on the rise. The Office of the Australian Information Commissioner reported a 26 per cent increase in cyber breaches notified from July to December 2022 compared to the first half of the year. Most of these breaches (88 per cent) involved contact and identity information, which every business holds in vast quantities.

It’s important to be aware that outsourcing IT services does not necessarily remove risk for the business, as this is not true both legally and practically. In fact, 45 per cent of respondents believed that outsourcing IT services reduces risk, and this number rose to 59 per cent among highly confident businesses. This indicates poor awareness of the risks associated with third-party and supply chain security management.

While they may feel that they are ‘small financial fish’ in the cybercrime pond which can lead to a false sense of security, small businesses are often targeted because they represent an easier access point to larger organisations in their supply chain. Additionally, they may not be as well defended as larger organisations and hold volumes of highly sensitive data. Therefore, it’s important to have a documented incident response plan in place, with clear processes to contain the breach and remediate the damage.

Proactivity is key, prepare and practise

Preparing for a cyber-attack should involve a communications plan, as it’s crucial to be able to respond quickly and effectively during a crisis. Businesses should also be aware of their obligations for reporting an incident to the appropriate people in their organisation and regulatory authorities. Preparing well should also involve workshopping and practising response plans and communication strategies ahead of an actual threat, because arranging one in the middle of a crisis will not allow the business to be responsive.

The impact of a data breach can be severe, including exposure of critical data, loss of confidence from investors, class actions by affected customers, and loss of revenue and jobs. The average cost of a ransomware attack globally is now $6.5 million according to IBM’s 2022 Cost of a Data Breach report, and rising sharply every year as attacks become more sophisticated.

Prudent business leaders should revisit their cybersecurity plans to ensure they are sound and that people at all levels of the organisation understand their role and responsibilities in case of a breach. Investing in cybersecurity can have a positive impact on a business, protecting from potential risks and helping to maintain a reputation and relationships with customers and suppliers.