The Australian Security and Investment Commission (ASIC) is warning small businesses to be prepared for the coming cybercrime wave.

ASIC chair Joe Longo said global cybercrime damage costs are predicted to grow by 15 per cent annually over the next three years.

He has issued a warning to companies who do not adequately address cyber risk and resilience, or have controls in place to protect key assets.

“Failure to do so could mean failing to meet regulatory obligations,” said Longo.

The corporate regulator will seek to make an example of board directors and executives who are recklessly ill-prepared for cyber attacks by taking legal action against compromised companies that did not take sufficient steps to protect their customers and infrastructure from hackers.

Home Affairs Minister Clare O’Neil recently expressed her frustration with businesses failing to keep up with manufacturer patches designed to keep systems safe.

Longo underlined ASIC's expectation that businesses focus not only on designing systems to be as secure as possible – noting that no system can ever be assumed to be completely secure – along with planning their response to a breach.

“Every system is vulnerable, and we must plan for that,” he said.

Longo also cautioned that boards that fail to prioritise cyber are exposing themselves to the (potential) risk of enforcement action by ASIC.

“For all boards, cyber security and resilience have got to be top priorities.

“If they don’t give cyber security and resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement by ASIC.”

Cyber awareness improves while accountability lags

Less than one in five leaders in information technology have ongoing cybersecurity awareness programs in place, while just a quarter invest in annual cyber training, according to the HLB Cybersecurity Report 2023.

The report surveyed 750 senior IT professionals globally to provide a snapshot of the current cyber-threat landscape.

Fifty per cent of business leaders saw an increase in cyber attacks over the past 12 months, with another 35 per cent indicating the attack levels stayed the same as last year.

Impact of breaches

Accounting firm HLB Mann Judd’s Melbourne partner, Kapil Kukreja, said the report findings are a stark reminder that many organisations remain unprepared for the financial and reputational impacts of a cyber breach.

Kukreja said Australia has unfortunately recorded a number of very high-profile cyber security breaches in recent years, including Canva, Optus, Medibank and Latitude Financial Services.

Last year a Federal Court of Australia ruling found Australian Financial Services (AFS) licensee, RI Advice, breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks.

“As a result, all AFS licensees must adequately manage cyber security risks as part of their license obligations,” he said.

Test your cyber security

The Cyber Security Assessment tool was developed by the Department of Industry, Science, Energy and Resources to help improve security skills among Australian small and medium businesses.

It can help identify a business' cyber security strengths and areas where the business can improve.

The tool works by asking a series of questions about how you manage cyber security for your business.

Based on the answers, it will determine your current cyber security maturity level and provide guidance on how to improve.

Users are encouraged to use it at least once a year, so they can understand the next steps to take to strengthen cyber security measures and how to improve them over time.