How small business owners can assess cyber risk

With cybercrime reaching record levels, Australia’s 2.5 million small businesses are increasingly looking for ways to lock the digital doors to their information.

Many experts urge for a dual approach when developing a business cybercrime plan – recommending cybersecurity (to safeguard against cyber threats) and cyber insurance (to protect against the consequences if a cyber-attack occurs).

Small businesses are failing on both fronts, with nearly half spending only $500 on cybersecurity while just one in five protect their business with cyber insurance.

While there are many reasons for this, a common denominator shared between both components is the ability (or lack thereof) to identify cyber risk.

With the increasing frequency and sophistication of cyber-attacks, cybersecurity expert Fiona long says it’s more important than ever to have strong cybersecurity and cyber insurance controls in place.

“To do this effectively, small businesses need to know how to identify cyber risk and understand its relationship with their controls and compliance,” says Fiona, who is the founder of Sydney-based cyber solutions platform InfoSecAssure.

“That way, small business owners can make informed decisions about protecting their business.”

Fiona Long

Cybersecurity expert Fiona long, Founder of Sydney-based cyber solutions platform InfoSecAssure

Defining cyber risk, controls, and compliance

Cyber risk, controls, and compliance can be overwhelming concepts to understand.
But in order to best protect businesses from the consequences of a cyber-attack, Fiona says it’s important to define each concept before devising a plan.


In general, risk is the chance of an event happening that has negative consequences. So, a way to describe cyber risk is the probability of loss or exposure resulting from a cyber-attack.

The standard formula for assessing a cyber risk is:

Likelihood (Threat x Vulnerability) x Impact = Risk


  1. Likelihood – the chance of something happening.
  2. Threat – a malicious or negative event that takes advantage of a vulnerability.
  3. Vulnerability – a weakness, flaw or other shortcoming in a system (infrastructure, database or software), process, or set of controls that could be exploited by a threat.
  4. Impact – the potential consequence to a business or person such as loss of money, physical harm or other impacts.


Cybersecurity controls refer to a suite of processes that aim to prevent and detect risks. Controls help to mitigate the threat associated with a risk occurring by removing or mitigating the vulnerability of a process, person, or system.


Compliance is the act of implementing or doing a particular control or requirement.

Audits are typically conducted to assess a business’s compliance against a regulation or internal set of rules.

In the world of cybersecurity, compliance is often assessed by conducting assessments through a checklist of controls.

What comes first – Risk or Controls?

Navigating where to start when it comes to identifying risks and selecting the right controls to adhere to can be a daunting task.
Many small business owners get lost in a world of controls; sinking money towards security that might not actually be beneficial to mitigating the risk.

“Simply having large amounts of controls isn’t enough; rather the aim should be for them reduce the actual risk posed – otherwise where is the return on investment?” says Fiona.

“A risk assessment should be conducted first in order to tailor the controls to the situation.”

A risk scenario – a short description of the vulnerabilities, threat and potential impact – is a great place to start.

For example, take this statement:

“Poor password management leads to unauthorised access to sensitive information resulting in a significant data breach.”

The statement contains the:

  • Vulnerability = Poor password management
  • Threat = Unauthorised access.
  • Impact = A significant data breach

“From here, you can identify a very specific risk. Now you can put in appropriate controls in place,” says Fiona.
For the risk scenario above, a control could be to use multi-factor authentication or a password management system.

Finally, the last step is compliance – ensuring that the control is always implemented for as long as the risk is present.

“Compliance is often where the whole process breaks down. Good risk identification and cybersecurity mean nothing if nobody complies with the control.”

Cybersecurity is only half the battle

While you identify the risk and controls in place to prevent its impact, cybercriminals can still get through.

Sometimes risk prevention is not enough, and businesses need a financial safeguard in place for when things go wrong.

“Cyber Liability insurance can be seen as an additional control as it is designed to protect your business from the legal costs and expenses related to a data breach or cyber-attack,” says Fiona.

Your coverage may generally include cover for expenses and restoration costs relating to the following:

  • Data breaches including theft or loss of client information
  • Network security breaches
  • Business interruption costs
  • Forensic investigation into the cause or scope of a breach
  • Data recovery costs
  • Crisis management costs (to protect or mitigate damage to your businesses reputation resulting from a cyber event)
  • Loss and legal costs, including fines and penalties resulting from a third-party claim for data or network security breach against your company

“And if you don’t think you can deal with the financial consequences of an attack then you may need to consider Cyber Liability insurance,” says Fiona.

“Consider checking out the BizCover platform, where you can compare Cyber Liability insurance quotes and get covered instantly.”

The bottom line

Cybersecurity risk could severely affect any small business.

It is the probability of an attack or breach that compromises data, technical infrastructure and an organisation’s overall credibility.

It is the result of unpredictable events with increasingly devastating ramifications. Understanding the depth of exposure these risks can cause is essential to guarding your business against severe losses.

That’s why cyber risk must be addressed holistically.

“At InfoSecAssure we spent years studying the issues we describe above and developed a solution which offers businesses and their advisors with a balanced approach between assessing controls, identifying risks and ensuring multiple practical outcomes can be achieved, every time,” says Fiona.

“Our simple approach to assessing the controls within your business allows you to quickly identify your risks, your control maturity and your compliance across key security standards.”

Contact InfoSecAssure for a free demo or consultation and consider BizCover for your business insurance needs.

This information is general only and does not take into account your objectives, financial situation or needs. It should not be relied upon as advice. As with any insurance, cover will be subject to the terms, conditions and exclusions contained in the policy wording.  © 2023 BizCover Pty Limited, all rights reserved. ABN 68 127 707 975; AFSL 501769 

Compare multiple quotes online in minutes

Compare FREE quotes

Compare multiple quotes online in minutes

Trusted by over 220,000 Australian small businesses.

Compare FREE quotes

Popular Searches