4 September 2023
The five key questions to keep your business cyber-safe
Small business is big business, with Australian Bureau of Statistics figures showing 97 percent of Australian businesses have less than 20 staff.
But small business is also big business for cybercrimes.
In today’s digital world, where your business is run on applications like MYOB, Xero, Hubspot and Dext, small businesses are treasure troves of personal customer data. And, without big budgets for cybersecurity or dedicated staff resource, they’re often viewed as easier targets.
Exacerbating the situation is the rapid advancement of artificial intelligence
and offerings such as ChatGPT, with their potential to lower the barrier to cybercrime entry, open up new avenues for hackers and make attacks more scalable.
The ACSC’s Cyber Security and Australian Small Business report
shows 62 percent of small businesses respondents have already experienced a cybersecurity incident.
Those attacks have big impacts for small business with reports suggesting more than 60 percent of small businesses don’t survive a cyberattack or data breach.
Small business owners know, and fear, those threats: Research by the Council of Small Business Organisations Australia (COSBOA) shows just 21 percent of small business owners are confident they would recover from a cyber threat.
1 cybercrime report every 7 minutes
The ACSC receives around 206 reports of cybercrime a day
43 percent of all cybercrime is directed at small businesses
According to a survey by the Council of Small Business Organisations Australia
Cybersecurity threats fall into three main areas:
Scam
$39,000 per attack was the average cost per cyberattack or breach for small businesses in 2021-22 which include phishing attacks, usually entice users to click a malicious link, download a malicious file or provide access to information such as credentials or account details.
Messages are a form of phishing attack aiming to trick employees in order to steal money or information. They’re emails from ‘trusted’ accounts, which have been compromised, or other means including domain names that look very similar to a real business. Here at Synergy IT we’ve seen too many cases where companies received falsified invoices with altered account details from companies they deal with. And we’ve seen far too much money being lost to these compromises.
Business email compromises
Malware is a catchall term for malicious software including ransomware, viruses and spyware.
But there’s an even bigger risk. Because the biggest risk for SMBs, is a lack of investment in IT security.
ACSC figures show small businesses are spending on average less than $500 a year on cybersecurity. And the average cost per cybercrime incident or breach for a small business? $39,000.
The big five (questions that is…)
There are five key questions which can help identify your risk when it comes to cyberattacks:
Question 1:
Does your business collect any sensitive customer data?
Do you collect personal details such as a customer’s name, address, phone number or email in order to do business with them? Those simple details are enough to compromise your customer, as they form the basis for identity theft.
If you collect additional details such as passport or drivers’ license numbers, or banking information, the risk of your business being targeted – and to your customers if their data is breached – is even higher.
Recent changes to the Privacy Act 1988 mean companies with an annual turnover of more than $3 million any financial year since 2002 – and many others with smaller revenues but handling sensitive data – are required to report data breaches that could cause serious harm to the OAIC. If you haven’t adequately protected that data, you could face penalties. You’ll
also be required to contact all affected customers, causing irreparable brand damage.
Among those businesses with revenue under $3 million but still required to comply, are health care providers including gyms, weight loss clinics, complementary therapists and childcare centres; operators of residential tenancy databases, such as real estate and rental agencies; credit reporting bodies and businesses which store individual tax numbers, such as accountants.
The onus is on your business to provide the appropriate level of protection for sensitive data, and to communicate any breach and plan of response to your customers. That’s a key reason why 60 percent of SMBs who suffer a cyber event go out of business within six months of the incident.
Question 2:
Where do you conduct your business?
Few Australian companies conduct their business 100 percent from the office these days. Whether your staff are working from home part-time, using their computer while in a client meeting at a coffee shop (or that client’s office or home premises), or while in transit at airports, train stations or anywhere else, work outside the office is business as usual now.
So how are you protecting those people – and all the company data they’re
handling?
While your business/office network might be secure, your intellectual property or sensitive information can be stolen from any access point – and that includes the local café or your account manager’s home network.
Protecting sensitive information from whichever device can access it is critical.
Checklist:
Understand the data your business holds and your responsibilities to protect it
Identify where important data is stored
Only collect the data you really need
Keep devices and software updated to ensure any known security weaknesses are patched
Checklist:
Set up security software to complete regular scans on all devices
Secure your devices – including those used at home by staff – with DNS filtering to block malicious websites, anti-malware protection to prevent endpoint compromise
Question 3:
Do you trust your employees’ awareness and knowledge around cybersecurity?
Checklist:
Establish a culture of security, requiring strong passwords and providing appropriate internet use guidelines
Educate your team on what they need to look out for and when to speak up
Have clear processes, rules and policies on how to handle and protect customer information and other data
Ninety-five percent of cyberattacks target the people who work in your business, rather than being technology failures, according to COSBOA.
Some of your team are at greater risk than others, with hackers targeting high-value accounts, such as senior management, accounts teams and assistants who often have access
to executive accounts and can send messages out on behalf of others.
These are prime accounts for Business Email Compromises, but they’re also people who are likely time-poor and may inadvertently click on something they shouldn’t, like that malicious attachment containing ransomware.
Question 4:
What would a cyber breach or cybersecurity incident cost your business?
Would your business’ profitability or revenue be impacted if you lost access to your systems? How comfortable would you be contacting your customers to let them know their personal data has been compromised?
As well as the risk of legally imposed fines if data is breached (and the penalty for serious or repeated data privacy breaches has increased to the greater of $50 million, three times the benefit of a contravention or 30 percent of a company’s adjusted turnover in
the relevant period) there are a number of other potential direct costs to your
business. These include monetary theft, the cost of remediation, system repair and data restoration, lost revenue due to downtime, the cost of notification and credit monitoring for affected parties and increases in insurance premiums.
On top of that, there is the business disruption and operational downtime, potential loss of intellectual property and damage to your brand.
And it’s not just your business: Third parties you work with could also be affected by a cyberattack on your business.
Checklist:
Consider how a cyberattack would affect your business, providing a low, medium or high impact rating to each of the following:
How would it affect your day-to-day operations. Would it stop your business?
What would the cost be to recover from an attack?
How much reputational risk could you suffer
if an attack or breach happened?
How would the risk affect your IT environment?
Question 5:
What existing practices and IT solutions do you have in place?
What technology and solutions are you using to protect your network, devices and users?
Putting solutions in place is the most effective way to ensure your business is not crippled operationally or financially by a cyberattack.
More than that, if you fall under the Privacy Act, those measures are not
a nice to have, they’re essential: The Privacy Act principles require that companies take ‘reasonable steps’ to protect personal information.
Ignorance is not a defence and the best insurance you can have is procedures showing you have implemented appropriate protection and prevention measures.