top of page

Subscribe

Search

The most common cybersecurity threats facing SME's

  • Writer: Robert Salier
    Robert Salier
  • Feb 20
  • 6 min read

In Australia many smaller organisations are not required to report cybersecurity incidents.  Anecdotally, and perhaps not surprisingly, the majority do not.  Available information points to the most prevalent cyber security threats to small business being insider threats, scams, ransom attacks and IT related issues, in roughly that order.


Breakdown of cybersecurity threats facing SME’s in Australia
Breakdown of cybersecurity threats facing SME’s in Australia

Insider Threats

It often comes as a surprise to businesses that insider threats account for around half of all cybersecurity breaches, i.e. many as the other three categories combined.


Insider threats involve risks posed by individuals within the organization who have access to sensitive information. These threats can be unintentional or malicious, but both types can cause significant harm.


  • Employee mistakes or negligence: Simple mistakes can be extremely damaging.  For example, an employee might mistakenly email confidential documents or information to the wrong recipient.  Disengaged and/or careless employees may not take due care, e.g. ignoring prompts to update software, or failing to notice or report suspicious things.


  • Poor password practices: Weak passwords, re-using the same password across multiple systems and sites, and sharing passwords with others.  Most criminals that guess, crack or steal one of your passwords will usually try that password on many different systems and sites that they know or guess you have an account with.


  • Hostile, disgruntled, desperate or blackmailed employees: These employees may destroy or steal sensitive information, or provide access to others.


  • Employees leaving the business with sensitive information: Departing employees may take valuable or sensitive information with them, intentionally or unintentionally.


Scams

Scams involve tricking businesses into providing money, information, or access to their systems.  Some scams are fairly crude and easy to spot, although these are usually intended to scam individuals rather than organisations, sending the same message to a large number (usually many thousands) of people.  The scammer expects most people to recognise these as a scam, but can still be lucrative if only a tiny fraction of people fall for it.


For businesses and other organisations, a much bigger threat comes from scammers that put time into choosing individual targets.  These scammers will spend time researching the organisation, often using social networking sites such as LinkedIn.  They may also research individual people within that organization using sites like Facebook to help them understand their personalities and interests to help them craft messages that that are most likely to hook and trick that person.


For large companies with potentially huge rewards, scammers have been known to spend months, and in some rare cases a year or more doing this reconnaissance.  Smaller companies are smaller targets, but the potential reward for a scammer can still justify them spending a chunk of time.  There’s quite a lot that can be learned in just 15 or 30 minutes of research, which can then be used to create far more convincing and targeted messages to hook a person.


The most common scams facing SME’s are:


  • Invoice Payment Redirections: This is a very common scam.  Attackers impersonate a supplier, saying that their bank account details have changed.  The victim then sends payment(s) to the scammers bank account instead of the legitimate account of the supplier.


  • Fake Tech Support: Scammers pose as legitimate IT support providers, convincing employees to grant them access to systems or to pay for unnecessary services.


  • Fake Business Directory Listings: Businesses may be targeted by scammers offering fake directory listings or demanding payment for listings that do not exist.


  • Fake Charity or Sponsorship Requests: Scammers may pose as representatives of charities or organizations seeking sponsorship.


  • Impersonating Someone You Know: Attackers often impersonate a colleague, management, client, or government agency to extract money, gift cards, sensitive information, or access to systems.


Ransom Attacks

In its 2024 Cyber Threat Report the Australian Signals Directorate (ASD) said “small to medium businesses are high-risk targets for ransomware attacks”, and that it was continuing to rise.  Their 2023 report said that ransom attacks had increased roughly five-fold since the pandemic.


Ransom attacks involve a threat to take harmful actions unless a ransom is paid.  The attacker may threaten to publish or sell sensitive data such as customer information or intellectual property, until a ransom is paid, and/or threaten to wipe or lock a company’s PCs or servers.


Ransom attacks vary from opportunistic and fully automated, through to highly targeted and human orchestrated.  The former tend to be indiscriminate, sent to a broad range of potential targets in the hope that a small number may pay off.  They tend to use “ransomware”, e.g. software that will lock a computer and/or data, requiring ransom to be paid for it to be unlocked.  Highly targeted attacks tend to be executed by a human attacker that is more likely to have chosen a specific target(s), will know more about their targets, and are more likely to steal data so they can threaten to publish or sell.


Victims often face a difficult decision on whether to pay the ransom.


The Australian government strongly opposes the payment of cyber ransoms. This stance is based on several concerns. Firstly, there is no guarantee that the criminal will follow through on their promise to restore data or systems.  Furthermore, the cybercriminals may restore data and systems but still leak or sell the data regardless.  Additionally, paying a ransom demonstrates that the victim is willing and able to pay, increasing the likelihood of the criminal repeating the attempt on that same victim.  The paying of ransoms also contributes to making the criminal business of ransom attacks lucrative, attracting more criminals and perpetuating this global problem.


Australian law does not directly prohibit paying ransoms, and at the time of writing this article a proposal to do so has been dropped.  Instead, the Australian Government is considering making it mandatory to report ransom payments.  Having said that, paying of a ransom may still constitute an offence.  Under section 102.7 of the Criminal Code Act 1995 it is an offence to ‘recklessly’ provide resources to support a terrorist organisation.  Also, some payments may constitute a money-laundering offence under Division 400 of that Act.


Vulnerabilities in IT Infrastructure

Vulnerabilities in IT systems, software, or configurations are often exploited by cybercriminals to gain unauthorized access or disrupt operations.  There is an overlap between IT related issues and insider threats, because IT related issues often result from employee mistakes, negligence, or lack of awareness and training.


  • Use of Default Passwords: Many devices and software come with default passwords that are widely known or easily cracked. If these passwords are not changed, they can be an open door for attackers.


  • Software and Device Vulnerabilities: Modern IT hardware and software is incredibly complex, and hence almost never perfect.  Most of us will have experienced bugs of various kinds.  Whilst many bugs are just nuisances, others can result in security weaknesses that can be exploited by hackers to gain access into a device or system.  Hardware and software vendors routinely find security vulnerabilities, either themselves or when notified by their users or cybersecurity threat experts.  Depending on the nature and severity of the vulnerability, vendors may issue an emergency fix (which the industry calls a “patch”), or they may wait to include the patch in the next update of the software.  Many vendors plan regular software updates in the knowledge that every few months they will have a collection of new features, improvements, bug fixes and security patches to distribute.


  • Misconfigurations: Improperly configured systems, networks, or applications can create security gaps that can be exploited by attackers.  A common mistake is to accidentally configure a system, software, or service to be accessible from the public Internet when it should not be.  Another common mistake is poor or non-existent authentication, e.g. with an easily guessed or cracked password, or no password at all.  The 2022 Optus breach was due to a combination of both these mistakes.


Conclusion

Cybersecurity threats to Australian SMEs are real, growing, and increasingly sophisticated. The four categories covered in this article — insider threats, scams, ransom attacks, and IT infrastructure vulnerabilities — collectively represent the vast majority of incidents affecting small and medium businesses. Importantly, none of these threats require a technically advanced attacker to be successful; many of the most damaging incidents result from simple human error or easily avoided oversights.


In coming articles, I will explore common tactics used by cyber criminals to break in and gain access to an organisation’s sensitive data, and some practical security measures that SME’s can take to protect themselves. 



bottom of page