The rise in hacking attacks, including some high-profile cases, has seen Australian businesses up the ante on protecting their systems.

An estimated 78 per cent of businesses are increasing their investment in cyber protection measures. Despite these positive numbers, questions remain over whether funds are being directed to the right areas in IT budgets.

Business owners and company boards should be allocating sufficient budgets for technology as well as training and human resources. As a general rule, businesses should set aside 1-5 per cent of their annual IT budget for cyber security measures, including training of staff. In addition, businesses should consider a formal cyber strategy and cyber response plan.

The prevalence of attacks is irrefutably increasing. Small businesses account for more than 97 per cent of all Australian businesses. The Australian Cyber Security Centre (ACSC) estimates 43 per cent of all Australian cyber-crime is directed at small businesses, with cyber criminals aware of limitations in investing in cyber security measures.

The ACSC puts the average cost of cyber-crime to small business at $39,000; $88,000 for medium business, and over $62,000 for large business. Currently, cyberthreats and scams targeting small businesses cost the Australian economy an estimated $29 billion a year.

Cyber protection budgets should be apportioned to people and processes, not just technology infrastructure. It’s critical for businesses large and small, and across every sector, ensure investment is made in the right areas to mitigate cyber security risks.

Under the new Cyber Warden Program, the Federal Government will be investing $23.4 million in cyber wardens to build small business cyber resilience, with up to 60,000 wardens available in the next three years. Some of the most at-risk sectors include government, health and social assistance, information and telecommunications, and education and training.

The reality is that hackers don’t discriminate. Therefore, if a system carries any vulnerability, they will be able to exploit it and use the information obtained to their advantage.

Recent high-profile attacks have highlighted the reputational and financial consequences for businesses. Directing the right amount of funds into the right areas should now be considered the number one operational priority.