Email scams, or “phishing”, can catch any business off guard. Two Australian businesses, who must remain anonymous for privacy reasons, provide a case in point.

According to the ACCC’s Scamwatch, phishing was the most common type of scam in Australia last year, with 74,573 reported incidents and 27,488 incidents of false billing.

We’ve all seen those emails that look like they’re legitimate invoices from a contractor, a supplier or the “tax office”. And yet, it can take just a hasty moment of human error, an accidental click on a link on a highly official looking email, to compromise a whole business.

When a hacker accesses personal information, including names and credit card details, it can be an enormous cost to your business trying to clean up the mess – but it can compromise your clients as well.

Triple threat: Three parties, one invoice

It’s what happened to an Australian management consultancy business. Let’s call them Business A.

In November 2022, Business A suffered a security breach in their email system that resulted in fraudulent emails being sent to their clients, with invoices requesting payment into a fraudulent bank account.

The business called their 24-hour Cyber Hotline service available through their cyber insurance policy to immediately report the incident. They worked with a third-party response advisor to conduct a thorough forensic investigation to assess the damage of the email compromise.

What was uncovered was quite the domino effect. The investigators found that the liability would need to be shared between both Business A and another company that received the fraudulent email. Enter, Business B.

Why was Business B roped into the drama? It’s because the fraudulent email impacted a mutual client of both Business A and B (let’s call them The Client). Business B was found to have had the opportunity to identify that the email was fraudulent, but failed to do so. This resulted in losses for The Client.

A tangled web, for sure. An agreement was reached between all three parties: Business A was liable for 40 per cent of the total loss, Business B the other 60 per cent.

How cyber liability was decided

Business A had cyber liability insurance prior to the incident. It’s one precaution small businesses can take to help protect themselves in the event of cyber attacks like phishing (also known as “social engineering”), ransomware and malware attacks.

Insured businesses may have costs covered that are associated with the accidental loss or release of customer information, cyber crime or fraud, extortion and ransomware and related business interruption.

“Most cyber policies will cover you for your net loss of profit and also increased cost of working. And a lot of policies will have post-breach support too,” says Jane Mason, Head of Product, Channels & Risk at BizCover, the small business insurer behind this case.

BizCover helped Business A recover their losses to the tune of $227,506. This included a third-party claim settlement, forensic investigation and rectification costs after the fact.

They were lucky. But Business B and The Client weren’t so much.

“When you have the immediate threat, the fire’s coming to the house. But once the house isn’t burning down, we then need to look at the extent of the damage and how we can recover. There’s a number of ways insurance can step in there, like IT forensic services,” Jane explains.

“Those costs can be recoverable under an insurance policy. It’s very important to have cyber liability insurance as part of your broader incident response and then recovery plan.”

REGISTER TO WATCH: Our free masterclass on cyber security for small business

Post continues after video.

“It won’t happen to me”

Despite a rise in cybercrime against small and medium businesses, and losses resulting in tens of thousands of dollars on average, a lot of businesses don’t have a plan for how to deal with a cyber attack.

“There is an ‘it won’t happen to me mentality’,” Jane says. “Let’s face it, it is not easy. But I think to implement basic cybersecurity procedures is becoming easier than ever.”

Everyday precautions go a long way. The main ones are keeping on top of software updates, performing regular backups and implementing multi-factor authentication for passwords and sensitive details.

“When you think about these cybercriminals, they look for vulnerabilities in some of the most widespread software. Then the software companies look to plug those holes – it’s like a game of cat and mouse. When we don’t update our computers, we’re leaving ourselves vulnerable,” Jane adds.

Another key area is education – Cyber Wardens is a simple education tool that empowers small businesses and staff to protect themselves against digital threats. Just like a fire warden, a ‘cyber warden’ will know what to do in the event of an emergency, like a potential email system breach.

Coming up with a cyber incident response plan

A cyber incident response plan is essential if you want to get on top of a cyber threat before it even happens.

It should outline roles and responsibilities, as well as how to get help in the event of a cybercrime, incident or vulnerability (see these cyber incident response plan guides and templates from the Australian Government).

This will often involve contacting a financial institution if there’s fraud, reporting the cyber crime and seeking the help of your insurer, who can assist you or your IT consultant with response and recovery.

“Having an instant response plan, which includes having insurance in place, is absolutely critical,” Jane concludes. “I think most people would not know what to do if they went into work tomorrow morning, turned on their computer, and there was a ransomware attack or other cyber incident.”

Find out more about BizCover’s cyber liability insurance here.

This article is brought to you by Kochie’s Business Builders in partnership with BizCover.

*The provision of the claims examples are for illustrative purposes only and should not be seen as an indication as to how any potential claim will be assessed or accepted. Coverage for claims on the policy will be determined by the insurer, not BizCover.

BizCover acts as agent of the insurer. This information is general only and does not take into account your objectives, financial situation or needs. It should not be relied upon as advice. As with any insurance, cover will be subject to the terms, conditions and exclusions contained in the policy wording. © 2023 BizCover Pty Limited, all rights reserved. ABN 68 127 707 975; AFSL 501769

Feature image: AdobeStock