Money | The latest blogs, articles & guides from our best storytellers

Nearly 1 in 2 employees put organisations at risk of cyber attacks – medium-sized businesses worst offenders

5 min read
3 Jan 2020

Cyber attacks are rapidly increasing among Australian organisations,[1] with cybercrime costing our economy more than $1 billion annually.[2] On top of this, small businesses account for 43 per cent of all cybercrime targets.[3] Now, new research reveals that the online activities of nearly half of Australian employees have put the organisations they work for at risk of online attacks.

We commissioned a survey of an independent, nationally representative panel of 1007 Australian employees who use a computer at work.[4] Respondents were presented with six activities that could put their organisation at risk of a cyber attack and asked whether they had done any of the following on their work computers: opened an attachment or a link in an email from an unknown contact; downloaded apps, software, videos or games without their employer’s permission; shared viral emails from unknown sources; and ignored computer updates.

Cyber attacks refer to deliberate malicious activity against a computer network or system to compromise security, economics or stability.[5] The findings reveal that 44 per cent of employees have put their company at risk of a cyber attack. Medium-sized businesses (20-199 employees) compromised their employer the most, with 53 per cent of respondents admitting to potentially unsafe activity on their work computer. This is followed by large organisations of 501-1000 employees (48 per cent of respondents), organisations of 201-500 employees (47 per cent), and 43 per cent of employees in small businesses (0-19 employees). also found, among employees who had carried out risky computer behaviours,[6] 61 per cent admitted they had opened an attachment in an email from an unknown source, and half (50 per cent) had opened a link in an email from an unknown, external contact.[7]

Opening emails from unknown recipients can be hugely damaging – recent research shows that one in 728 emails in Australia is a malicious email, and 48 per cent of all malicious email attachments are in an Office file format.[8] In 2018, email scams cost businesses more than $60 million in lost revenue and time[9], and concerningly, 87 per cent of small businesses think using antivirus software alone means they’re safe from cyber attacks.[10]

Older employees seem to be putting businesses most at risk through suspicious email activity. Two-thirds (67 per cent) of 50-69-year olds have opened an email attachment from an unknown contact, compared with 54 per cent of under-30s. Employees in medium-sized businesses are the biggest culprits with this type of activity at 66 per cent, closely followed by businesses of 201-500 employees (65 per cent).

Thirty-three (33) per cent of employees have ignored computer notifications and updates on their computers. Regular computer updates[11] are vital as they may contain important security features to guard against recent viruses and attacks.[12]

Interestingly, it was the younger cohort that were most negligent about updating their malware and other types of security on their computer: 43 per cent of under-30s ignored notifications on their PC to update their security, compared with just 22 per cent of those in their 40s. Small businesses are most at risk of cyber attacks from this risky behaviour, with 39 per cent of employees in small businesses admitting they’ve done this.

Further computer-related actions respondents admitted to doing at work included downloading an app or software from a third-party website without their employer’s permission (29 per cent) and sharing emails from friends or other contacts that are going viral where the original source is unknown (22 per cent).

Cybercrime is becoming increasingly sophisticated and is harming more and more Australians each day.[13] Fake emails, texts and invoices are being sent to both businesses and consumers to access personal information. The price of cybercrime in Australia is extremely costly to businesses, with 40 per cent of cybercrime costing businesses from $1000 up to $5000.[14] The Government recommends businesses have a cyber security policy in place to minimise the chances of online attacks, so employees are fully educated around safe computer usage.[15]

Cyber liability cover within business insurance protects businesses against cyber attacks and breaches. It may differ among insurers, but can include liability to organisations’ third parties, reimbursing expenses due to a breach or loss of business profits, and ransom payments that may be required to stop a privacy threat.[16] is a free comparison site that allows you to compare a range of small and medium business policies, specifically cyber liability insurance, to insure you against breaches, loss of data, hacking and more.

Risky activities respondents have carried out on their work computers

On your work computer, have you done any of the following?All AussiesNumber of employees
Opened an attachment in an email from a contact you don’t know61%58%66%65%57%58%
Opened a link in an email from a contact outside of your organisation that you don’t know50%49%53%56%43%44%
Downloaded an app or software from a third-party website without your employer’s permission29%23%31%41%23%31%
Downloaded a video or game from a third-party website without your employer’s permission.13%14%13%24%7%9%
Shared emails from friends or other contacts that are going viral, where the original source is unknown22%26%24%22%10%21%
Ignored notifications on your PC about malware and other types of security that needs updated33%39%31%31%33%28%


[1] Accenture’s Ninth Annual Cost of Cybercrime Study reveals that the average annual cost of cybercrime in Australia is US$6.79 million in 2018 and US$5.41 million in 2017. Currency conversion from USD to AUD is correct as of 23 January 2019.
[2] Australian Small Business and Family Enterprise Ombudsman,
[3] Ibid
[4] Conducted by Pure Profile (January 2020)
[5] Australian Cyber Security Centre, 2017,
[6] The survey data included throughout the rest of the media release is based on the percentage of respondents who have done risky activities on their work computer
[7] Results calculated based on percentage of respondent who have done potentially risky activities on their work computer
[8] Australian Cyber Security Centre,
[9] Australian Competition & Consumer Commission, 2019,
[10] Australian Small Business and Family Enterprise Ombudsman,
[11] Stay Smart Online,
[12], 2019,
[13] Australian Cyber Security Center,
[14] NSW Small Business Commissioner, 2017,
[15] Business, 2019,
[16] analysed information on cyber liability policies from three sources: BizCover’s Cyber Liability Insurance Facts , DUAL’s Liability & Private Protection Insurance and AIG’s CyberEdge and found these inclusions to be covered.
Did you find this article interesting or helpful?
avatar of author: Hannah Twiggs

Written by Hannah Twiggs

Hannah (or Twiggs as she's known by most of her colleagues) is a non-stop talker, avid snack eater, dog lover and passionate writer. When she's not chatting to journalists or writing up new story angles, Hannah enjoys a good Netflix binge, going away camping with friends and big brunches - preferably with extra bacon.

Read more from Hannah