Here’s an underappreciated reality – SMEs are fast becoming the preferred targets for cyber criminals.

And not because they’re an especially lucrative prizes individually but because automation makes it easy to attack anonymously and in bulk, and far too many SMEs are easy targets.

Why? Most SMEs just don’t have the budget or workforce to apply expert software, processes and experience to put in place measures as secure as larger enterprises – an SME is, simply, an easier target. And it’s a big target market if you are a cyber crook.

Statistically, there are some 2 million SMEs in Australia, making up over 95% of businesses and contributing about $380 billion to the Australian economy. This makes SMEs a lucrative and vulnerable target for cyber criminals simply because too many are not paying attention.

In 2014, nearly 700,000 Australian organisations experienced a cyber-attack and that’s just those who report the breach or attack. Or who even realise they have been breached – increasingly the sophisticated scams lie hidden and undetected quietly siphoning data or co-opting a business’ computers into an anonymous robot workforce.

Most SMEs are unaware they are being targeted and often significantly underestimate the true costs of these crimes. In fact, Alastair MacGibbon, Special Adviser to the Prime Minister on Cyber Security, has estimated that cyber-crime costs the Australian economy over $1 billion per year. Even more alarming is his contention that of SMEs that are the target of a cyber-attack, 60% of them fail within 6 months of the attack – such is the business impact of the disruption that these events can now inflict.

So what do we do to better protect ourselves, our businesses and our customers?

Step 1: Be aware, take it seriously and put cyber risk and information security on the business agenda. It is primarily a business culture and governance issue, and not purely an IT issue.

Step 2: Understand the current status of your potential exposure and identify what and where the risks are. If you are unsure of how to do this, consult an expert.

Step 3: Do something with what you learn. Act to implement improvements to mitigate risk and protect yourself. This doesn’t have to mean a bunch of new technology and big ticket expenses – there are lots of simple process and procedural steps you can implement that will immediately reduce your risks.

Step 4: Stay active and aware. This is not a one-off thing, it needs to become part of regular staff awareness and the management and control processes within your business.

Kevin Morgan is a Director at FooForce, a long established Sydney based IT Services and Consulting firm specialising in delivering services and solutions to the SME market across Australia and internationally. FooForce are one of a relatively few ISACA accredited providers of formal globally recognised Cyber Risk Review and IS Audit and Risk Assessment services.