Date posted: 03/11/2021 5 min read

Q&A: Ransomware attacks on SMBs

With ransomware attacks increasing, Aon cyber security lead Chris McLaughlin answers common questions. Brought to you by Aon.

Chris McLaughlin, Cyber Solutions Group director at Aon, would like SMB leaders to understand just how vulnerable they are so they can be better prepared if they are attacked. Here, he shares answers to commonly asked questions.

Q: What has happened when you experience an attack?

Attackers use easily available tools that run 24/7 looking for vulnerabilities across the internet. Once vulnerabilities are found, attackers act en masse. So if you’re attacked, they have most likely found a vulnerability in your IT provider’s network, introduced malware and executed it.

Ransomware has been industrialised, so if you’re attacked, it’s more likely you’ll fall victim to a network sweep as described above, but if you are specifically targeted, you’ll probably be sent bespoke emails or attackers will try to get individuals in your organisation to go onto malicious websites and download malware.

Q: How will you discover you’ve been attacked?

Services start to become unavailable. For example, you might not be able to access files on a database or access your email. You’re progressively locked out of your own systems by malware that is encrypting everything. Very quickly you’ll start getting notes that say you’re being held to ransom, how much the attackers want, and how to pay them. A lot of the notices have a timer on them that says if you don’t pay quickly you’ll have to pay a lot more.

Q: What blind spots do small businesses have?

One is the belief that data held by a third party is always secure. You’ve got to know what you’re buying. A small IT provider offering a bargain rate may not have great security. For bigger providers, if you read many cloud contracts they all say that security is a shared responsibility. Ultimately, it’s safer to assume that organisations cannot outsource responsibility.

Q: Are accounting businesses at particular risk?

Attackers want bang for their buck. They don’t just extort money, they monetise stolen data as an asset in its own right. If you’re a chartered accountant with 50 clients, and each of those clients employs 10 people, then you’ve potentially got hundreds of very valuable records, including bank account numbers, tax file numbers – you name it.

“Attackers want bang for their buck. They don’t just extort money, they monetise stolen data as an asset in its own right.”
Chris McLaughlin, Aon

Your company’s data is also not your only risk, there is your potential liability for failure to safeguard data you hold for others.


Q: How does cyber insurance work?

It costs a lot to respond to an incident. Ideally, you want a breach coach from a reputable and experienced law firm that has cybersecurity specialists who can triage the incident and bring in the right skills and resources to help you mitigate the damage. Generally, what insurers do is assign you that coach and can provide cover, up to the policy limit, for associated costs.

Broadly speaking, those costs can include first-party losses such as investigation forensics and the reconstitution of internal systems and data, and third-party losses such as (subject to your policy wording) any liabilities or legal actions that result from a cyber event.

Aon’s particular approach to insurance is risk-based, rather than one-size-fits-all, which is better for SMBs.

We use data to understand our clients and find them the appropriate policy and level limits to make sure that their balance sheet is as protected as best as possible.

Find out more:

Aon is a partner of the CA ANZ Member Benefits Program and provides exclusive benefits to its members. To find out more and get a quote, go to

Aon has taken care in the production of this document and the information contained in it has been obtained from sources that Aon believes to be reliable. Aon does not make any representation as to the accuracy of the information received from third parties and is unable to accept liability for any loss incurred by anyone who relies on it. The recipient of this document is responsible for their use of it.