Nearly a quarter of New Zealand small and medium sized business have been a victim of cyber-attacks, new research has revealed.

The MYOB Technology Snapshotfound 24% of SMEs have been a victim of a cyber-attack or malicious cyber activity, as more businesses become digitised and instances of cyber-crime increase.

Of those SMEs who have been targeted by malicious cyber activity, nearly half (49%) said they had experienced a phishing attack, 44% had been targeted with malware, and a quarter (25%) had experienced a ransomware attack.

The findings also highlighted that most SMEs are taking basic precautions to protect themselves online.

Nearly three quarters (74%) of those polled said they have anti-virus protection, 60% said they have firewalls in place in their business, and more than a third (37%) have two-factor authentication. However, just 27% of SMEs have had specific staff training to protect the business and themselves from scammers or online phishing.

MYOB senior sales manager SME Krissy Sadler-Bridge says that while technology can provide SMEs with protection from cybersecurity threats or attacks, security programs aren't the only option for businesses.

"Learning how to be cyber-safe and how to identify red flags should become regular, essential training for business owners and all employees," she says.

"Starting with the basics, such as creating unique passwords, backing up data and ensuring the business has two-factor authentication is important, but understanding what to look out for as different types of cyber-attacks evolve, is key."

Business repercussions

The experience of cybercrime is also having large repercussions for SMEs, their employees and their customers. More than two-in-five (42%) SMEs who had experienced a cyber-attack said their private files were accessed and 30% revealed that their customer or client data was made available on the dark web.

"Being a victim of a cyberattack can be incredibly scary, particularly if private documents get accessed or personal threats are made," says Sadler-Bridge.

"Even beyond the impact to an SMEs business and customers, going through these experiences can also affect the wellbeing of employees involved," she says.

"Preparing for worst-case scenarios by having plans in place to report suspicious behaviour immediately, or a list of people to call should the business encounter an attack like the Computer Emergency Response Team (CERT NZ) or even the police can help ensure a business moves swiftly and correctly to respond to any attack before it has an even bigger impact."

Mitigating risk

When MYOB asked SME owners and decision makers whether they had any preventative and reactive cybersecurity processes in place, just over half (54%) of those surveyed said they did, while more than a quarter (28%) did not and the remaining 18% didn't know.

Actively monitoring for cyber security threats also isn't happening as often as it could be. While this could perhaps be due to a reliance on their security technology, only 19% said they check and update their security measures weekly, while 18% check this monthly and one-in-10 (10%) do this every 4-6 months. Nine percent of SMEs said they check and update their cyber security protection measures every few days.

"Regularly reviewing the business' cyber security protection is essential to spotting any gaps in the software, or important updates or bug-fixes that the program may have released," says Sadler-Bridge.

"As SMEs are in control of a lot of private information, continuously monitoring and testing safety measures will help ensure they are getting the best possible coverage," she says.

"What's also concerning when it comes to business protection, however, is that more than a quarter of SMEs (27%) said they didn't know if their business was covered for cyber-attacks under their current business insurance policy," Sadler-Bridge adds.

"While there are no shortage of costs SMEs need to manage to run their business with insurance being one of these, having the right protection in place here could save them thousands of dollars in the long run, so Id strongly encourage any business owner to check in with their broker or provider about this."

Improving preparedness

To help boost knowledge and confidence levels around cyber security and preparedness, the insights showed that SME owners and decision-makers are eager for more education around cyber security to protect their business.

Nearly a third (32%) of SMEs said more education on the types of cyber security threats affecting businesses and what to look out for would be most beneficial, and 30% said they would benefit from more education on how to plan and prepare for a cyber security incident.

Sadler-Bridge says bringing in cyber-safety specialists that offer training could be extremely useful for businesses, especially since many SMEs see education as a tool that could be beneficial to their business.

"As scammers and hackers are becoming increasingly sophisticated, regular training on new cybercrime techniques could be key to keeping them at bay," she says.

"There are a number of specialists that operate programs where the training sees them target a business with fake scams or phishing attacks, to see if employees can identify malicious activity and understand how they would respond. Running through real-world scenarios might seem intimidating, but they can really help identify strengths and weaknesses in an organisations response."