SMEs urged to cut data & boost cyber defences as attacks rise
Cybersecurity Awareness Month has brought renewed attention to the increasing risks faced by organisations of all sizes, with a particular focus on the growing threat to small and medium-sized enterprises (SMEs) in Australia and the UK.
SMEs face rising risks
There has been a marked increase in the frequency and impact of cybercrime targeting SMEs. According to Andrew Black, Managing Director of ConnectID, a cybercrime is reported every six minutes in Australia, and the average cost to a small business now reaches AUD $46,000 per incident. Yet, despite these figures, just 35% of small business leaders admit to feeling vulnerable to attack, even though the majority have encountered a threat personally or professionally.
Black warns this disconnect is exposing both businesses and customers to significant risk, highlighting the need for a shift in strategy. "While investment in software and staff training is important, it is not enough. With 81% of small business leaders and employees having experienced a cyber threat at work or in their personal lives, the focus must shift to reducing the amount of data they hold."
Data minimisation as protection
Storing unnecessary information, from identity documents to financial records, increases the potential impact of a breach. Black urges small businesses to adopt data minimisation strategies, collecting only what is necessary to verify identity and avoiding the storage of whole documents.
"Data minimisation can help reduce the impact of a breach and builds trust with customers, particularly in sectors that handle sensitive information every day," Black says.
Digital identity solutions, such as those using bank-verified digital checks, enable businesses to verify customers without holding excessive sensitive data. This reduces the risk and administrative burden while enhancing the customer experience, as there is no longer a need for unnecessary copies of identity documents.
Legacy systems and the threat landscape
The danger of legacy technology remains a major concern. Pieter Danhieux, CEO and Co-Founder of Secure Code Warrior, notes that ageing, unpatched systems provide an attractive target for threats and that as organisations integrate artificial intelligence (AI) into their infrastructure, the risks are compounded.
Danhieux stresses the importance of continuous learning for security teams to defend both new and existing systems effectively. "This can only be done through continuous, current security learning pathways, and complete observability over their security proficiency, commits and tool use. These data points are crucial to build sustainable, modern security programs that eradicate single points of failure and remain agile enough to combat new and legacy threats."
AI-driven threats and identity verification
Artificial intelligence has also heightened the sophistication of attacks, with AI-driven phishing scams now a top concern for Australians. Ash Diffey, Vice President ANZ at Ping Identity, references the Ping Identity 2025 global Consumer Survey, stating that 42% of Australians worry most about AI-based scams, while only 20% feel very confident in distinguishing scams from legitimate communications.
"Organisations must move beyond traditional defences and leverage the powerful combination of biometric authentication and verifiable credentials. By putting identity at the centre of our digital lives, we can dramatically reduce the success of scams and take meaningful steps toward creating a more secure digital world," says Diffey.
Supply chain and collective responsibility
Michael Downs, Vice President of Global Sales at SecurEnvoy, points to the rise in software supply chain attacks and recent disruptions to auxiliary services in major airports as evidence of the risks that third-party vendors can introduce. He highlights that compliance alone is insufficient, noting the need for a shared security culture and a proactive, awareness-driven approach across organisations and their suppliers.
Downs comments, "It's important to recognise that the 'weak links' are not always down to technical failures, but human error plays a huge part. Security fatigue, and inconsistent practices within smaller suppliers can create vulnerabilities just as damaging as a software flaw."
Integrated security strategies
For many businesses, investments in security are rising, but are not always coordinated. Sam Peters, Chief Product Officer at IO, cites a recent report showing a 73% increase in spending on information security over the past year. Despite this, nearly half of organisations still lack a clear framework for effective risk management. Peters advocates for aligning security tools with established governance frameworks like ISO 27001 to ensure clarity and efficiency across departments.
Continuous monitoring and business continuity
Rob Demain, CEO at e2e-Assure, emphasises the need for 24/7 monitoring, particularly for organisations providing essential services. He notes that continuous detection and response planning are as vital as prevention, helping to contain and remediate incidents before they escalate into major disruptions.
Demain concludes, "Resilience is about people, processes and culture and organisations should think about this, not just for Cybersecurity Awareness Month, but as a wider strategy to embed cybersecurity into their continuity planning, rather than treat it as an afterthought."
Granular defences and automation
Martin Jakobsen, Managing Director of Cybanetix, advocates for a detailed and 'paranoid' approach to cyber threats, advising organisations to pay particular attention to small anomalies and low-fidelity alerts that might signal larger attacks. He encourages businesses to support this vigilance with modern tools, robust identity controls, and AI-driven automation, particularly through Security Orchestration, Automation and Response (SOAR) platforms.
Jakobsen believes these measures will help businesses strengthen resilience and improve their overall security posture amidst a climate of increasing cyber risk.
