“Plan for a criminal incident to happen so you can respond when it does. Understand that cybercrime isn’t going away. It’s big business, with small and medium-sized enterprises (SMEs) a key target because they often have fewer security controls than larger organisations,” he says. 

“It’s estimated that this year alone, the cybercriminal economy is worth $1.5 trillion. Next year, this figure will jump to $2 trillion. These huge profits eclipse both the drug and the porn industry.”

When examining the impact of cybercrime on his clients, Hopkins discovered these startling statistics:

  • $700,000 is the average loss SMEs suffer from a cyber incident
  • 4-5 weeks is the average time a criminal lurks in a computer system before detection
  • Two months is the average time it takes to resolve a cybercrime.

Compare these high costs with the ease in which criminals can enter the cybercrime industry. Hopkins explains that for as little as US$6, a criminal can purchase malware for undertaking a cryptocurrency fraud. On the dark web, a piece of ransomware costs a mere US$45. For a remote access trojan, the price tag is as low as US$10, and with this cheap software, a hacker can monitor and control a victim’s computer network.

Where to start with cybersecurity?

The good news is that businesses can protect themselves from many of these criminal attacks. Hopkins estimates 95% of the cybercrime incidents he helps remediate could have been avoided with simple controls. 

“Nine out of ten clients have installed and migrated their systems to Microsoft Office 365 but have failed to activate the built-in security measures. Criminals exploit this vulnerability.” 

Hopkins says that a person’s identity is especially lucrative. He explains that when personally identifiable information is stolen, criminals can use it as a tool to enter computer or email accounts and to commit identity theft and fraud. Depending on the circumstances, criminals can also use it for blackmail and extortion.

Business owners and senior management are considered high-value targets for cybercriminals. For this reason, it’s crucial business leaders are aware of the impact identity theft could have – not only financially, but also to their reputation and digital footprint. The penalties are severe for directors who fail to comply with the Office of the Australian Information Commissioner’s mandatory Notifiable Data Breach Scheme.

The scale of the problem indicates how vital it is to embed cybersecurity in all aspects of workplace procedures and culture. Hopkins recommends senior executives take on board these top five initiatives for building resilience against cybercrime.

1.  Form a baseline

Start by understanding where your vulnerabilities lie and where you should focus your efforts. You want to know which are your most critical assets and how well these are protected and updated. Gather this intelligence from several sources, including by conducting a risk assessment (also known as a current state cyber resilience assessment) and surveying your staff and managerial teams. Consider performing some internal, controlled technical testing. 

2.  Get everyone on board

Cybersecurity isn’t the job of one person; everyone in the business needs to be involved. This means getting data governance processes, policy and procedures in place to direct good behaviours from the top down. It also requires business owners and senior management to define their risk appetite for cybersecurity, privacy and information risk. From here, set the strategy that will improve the current state and manage on-going resilience. To ensure the plan gets put into action, assign operational responsibility to a single person.

3.  Plan to respond and recover

Accept that cyberattacks will occur and produce an action plan to reduce the risks and impact. The project should bring together all divisional stakeholders to manage a crisis, not just IT. Be prepared to act quickly by establishing links with on-demand specialist services like digital forensics and incidence response.

4.  Build a cyber-aware culture

All the best IT defences won’t protect your business if you don’t train and educate staff to guard against potential attacks and follow your cyber rules. Establish a regular safety and awareness engagement program using a combination of strategies like newsletters, eLearning, new starter briefings and a manual outlining what staff are allowed to do and not do. Conduct controlled exercises that practically demonstrate the different ways hackers might try to breach your security. Make your people aware that this is a vital issue for them to be conscious of both at work and home. 

5.  Get operational

Create a robust cybersecurity partnership between risk, compliance and IT. Start with the “Essential Eight” strategies developed by the Australian Cyber Security Centre (ACSC). These include doing daily backups of data, restricting administrative privileges, making sure you have security patches in place and multi-factor authentication on your accounts. Then transition to initiatives that mitigate your current state risks. 

Run frequent tests and updates of your business continuity plans, asset management, disaster recovery, incident management and other threat management plans. Your critical assets, vulnerabilities and threats can change rapidly, so should your plans. Aim to shorten the gap between a cybercrime activity happening, your awareness of the event and your response.


Equifax has a range of solutions that can help businesses protect themselves from cybercrime. Contact us to find out more.

Risk Solutions

Shift your perspective to drive more effective risk management and credit decisions through data-driven analytics.