Stay Smart Online Week: Q&A with experts on Small Business Cyber Risks

This week is Stay Smart Online Week; a government initiative that aims to reverse the threat of cybercrime. Small businesses are some of the biggest growing targets for cybercrime with enterprise ransomware up 12% and organisations with less than 250 employees are more than twice as likely to be the target of email threats than an organisation with over 1000 employees*.

To explain this threat further and to give Small Businesses the tools they need to deal with it, we sat down with experts from Clyde and Co, to talk all things Cyber.

What are the biggest cyber risks facing small businesses?

Some of the biggest cyber risks facing small businesses, include:

Reliance on managed service provider. Many SMEs are heavily reliant upon an outsourced IT service provider that may or may not be implementing effective security controls.

Lack of understanding of cyber threats. SMEs are particularly susceptible to social engineering attacks, resulting in data disclosure and unauthorised transfer of funds.

Lack of preparedness for incidents. Many SMEs do not have the available resources to invest in preparation for an incident, including the development of an Incident Response Plan and or crisis simulations. In an incident it is critical to react quickly and appropriately. Without this preparation, SMEs are often hamstrung and end up suffering additional loss as a result.

Lack of backups. Many SMEs have vulnerable data retention regimes in place. Accordingly, in the event of an incident (in particular a ransomware attack), an SME may be unable to recover data and suffer significant business interruption and financial loss.

Perpetual retention of information. SMEs often do not regularly delete or de-identify data that is not required and accordingly retain information in perpetuity. This causes major challenges in the event of a breach, as a threat actor may have access to 20+ years’ worth of potentially sensitive information.

What is the impact of these risks?

The most salient impacts of the above include:

• Loss of critical data
• Business interruption
• Financial fraud / misdirected funds
• Loss of reputation
• Costs of responding to a breach

Some relevant statistics:

• The most common cause of data breaches are malicious attacks, which account for 61% of total data breaches in Australia.
• Cybercrime costs the Australian economy more than $1bn annually.
• Small business is the target of 43% of all cybercrimes.

https://www.asbfeo.gov.au/sites/default/files/documents/ASBFEO-cyber-security-guide.pdf

Are Small Businesses prepared for these risks?

Most SMEs are not sufficiently prepared for the cyber risks and have not taken the necessary mitigation steps. For instance:

• 33% of businesses with fewer than 100 employees don’t take proactive measures.[1]
• 87% of small businesses believe their business is safe from cyberattacks simply because they use antivirus software[2]
• Small businesses tend to have less security than larger corporations as they believe they are under the radar[3]
• The ease of attacking a smaller business creates greater incentives for hackers to target smaller businesses[4]
• Small businesses often do not have the resources to prepare for a cyber attack[5]

What is often the most overlooked?

• Cybersecurity education – Phishing/social engineering attacks are the most common form of cyber-attacks on small businesses.[6]
• Enabling multi-factor authentication (MFA) – can be one of the simplest but most effective measures, yet is not frequently implemented.
• Securing offline backups to prevent encryption in the case of a Malware attack.
• Reporting/escalation structure for suspicious activity. This means that threats and risks are often overlooked, and become more serious, for lack of being addressed/

What are your top tips for small business cyber protection?

• Educate on the importance of cyber security from the top down
• Understand the relationship with your MSP – see here for more information: https://www.cyber.gov.au/publications/questions-to-ask-managed-service-providers
• Understand and manage your supply chain risk
• Develop and enforce a strong password policy including two-factor authentication
• Update IT equipment and deploy security software updates
• See ASD essential 8 for best practice – https://www.cyber.gov.au/publications/essential-eight-explained
• Sign up to scam watch (https://www.scamwatch.gov.au/news/subscribe-to-scam-alert-emails) and stay smart online (https://www.staysmartonline.gov.au/get-involved/stay-smart-online-week-2018/sign-our-free-alert-service)
• Buy cyber insurance

Small Businesses are often short on time and resources. What should a small business prioritise in their cyber protection?

• Focus on educating staff on what to look for when identifying suspicious emails/activity
• Implementing multi-factor authentication for important systems including email
• Implement a reporting structure to ensure that all incidents are captured and notified to appropriate staff / external IT providers
• Understand what to look for and engage a managed serviced provider
• Limit access to sensitive information and administrator accounts

If you find yourself the victim of a cyber incident, Clyde & Co have a 24-hour cyber incident response hotline or email, allowing you access to their team directly. For more information contact them on +61 2 9210 4464 or at cyberbreach@clydeco.com

* Symantec Internet Security Threat Report, February 2019.

[1] https://www.asbfeo.gov.au/sites/default/files/documents/ASBFEO-cyber-security-guide.pdf

[2] https://www.asbfeo.gov.au/sites/default/files/documents/ASBFEO-cyber-security-guide.pdf

[3] https://www.cpomagazine.com/cyber-security/new-data-breach-trends-small-business-identity-records-now-target-1-for-hackers/

[4] Ibid.

[5] Ibid.

[6] https://www.smartcompany.com.au/finance/fraud/cyber-crime-stay-ahead/