What are the major cyber security risks facing SMEs?
Research from the ACCC revealed that business email compromise (BEC) scams cost Australian businesses $132 million alone in 2019.
Susie Jones, CEO of Cynch Security, outlined the key cybersecurity risks that many small businesses face.
“First they are being targeted as often as big business by cyber criminals because they are easy targets, they have taken fewer steps to protect their business and potentially could already be inside a large business.
“But the challenge is that the cybersecurity industry is built to help the top end of town, and to help people with tech backgrounds who understand what cyber tech experts are talking about.”
Ms Jones explained that another growing issue for small businesses is the complex regulatory framework governing cybersecurity.
“Another challenge, that is only emerging but will become bigger, is the focus of government and regulators on mandatory compliance regulations.
“It is really hard for small businesses to demonstrate if they’re doing the right thing and it’s also really expensive.
“The big challenge for small business is ‘how should I show my regulator or a large customer that I’m doing the right thing?’”
How has COVID-19 exacerbated these issues?
According to the Federal Government’s 2020 Cybersecurity Strategy Report, cyber criminals have been taking advantage of the pandemic to conduct COVID-19 themed emails and SMS phishing campaigns.
Linda Cavanagh, the National Network Lead at AustCyber, agreed that COVID-19 had heightened cyber risks for already vulnerable small businesses.
“Phishing and related scams that are tied to the economic stimulus packages, such as early access to super, low interest bank loans, Jobkeeper, these kinds of scams are very flexible and use the environment to tailor their phishing attacks on small businesses and individuals.
“They can also look at information manipulation such as attackers compromising networks to change bank account details on invoices that have been either submitted or provided by small businesses.
“Also the employees working from home or potentially in a hybrid home workplace environment, there are opportunities for malicious actors taking advantage of low or no cybersecurity at home or on their work devices which obviously compromises both the business networks and also their own networks at home.”
Ms Cavanagh also noted that COVID-19 had increased the participation of SMEs in government and multinational supply chains. This exposes SMEs to cybersecurity risks as a result of their involvement in broader networks.
“The small businesses that are providing high value goods or providing products or services to the government or large multinational corporations may be used specifically [by cyber criminals] to get into the larger network such as the government or multinational corporations.”
How has the Federal Government responded to these risks?
Earlier this month the Federal Government introduced the 2020 Cyber Security Strategy, investing $1.67 billion into building new cybersecurity and law enforcement capabilities. This initiative is the largest ever Australian Government financial commitment to cybersecurity.
Ms Cavanagh welcomed this program.
“The $1.7 billion will actually be provided across a lot of government agencies and in particular the ACSC.
“Boosting their capabilities, boosting the AFP’s capabilities in relation to fighting cyber crime, will have flow on effects to the economy but also to small businesses.”
However Ms Jones posits that this arguably is “mostly going to favour larger businesses.”
“We were disappointed that there wasn’t much in there to help small businesses to take control of their own risk.
“There are some good ideas. The government has spoken about setting up a hotline for businesses where there has been a breach.
“Otherwise there is a reliance on big businesses helping small businesses, which we know from past experience doesn’t always happen.”
How can you protect your business?
There are a number of simple strategies that businesses should be considering.
- Multi-factor authentication: making sure that two or more proofs of identity are required to grant access
- Anti-virus software: downloading software to prevent malware that deletes, corrupts or steals information
- Backing up and restoring data: businesses should back up data on the cloud or to external hard drives
- Firewalls: if employees are working at home or in hybrid mode, passwords on wifi routers should be changed
- Password managers: a password manager can develop a strong password that will take much longer to be compromised
Ms Cavanagh also stressed the “human element” to cybersecurity.
“You could have the best software, the best protective networks, but if your employees and yourself aren’t appropriately skilled or cyber aware … compromises can occur by clicking on a phishing email or opening up a ransomware email. So ensure that your people are skilled.”
Data protection services can assist in protecting against human errors within companies.
Andrew Huntley, regional director of ANZ and Pacific Islands for Barracuda, explained the importance of having a “human firewall” by educating employees on cyber awareness.
“Training isn’t just nice to have, it’s a top priority because targeted attacks have become so nefarious and effective. Train your employees to understand what threats are, where those threats are coming from and how to avoid becoming a victim.
“But it’s not about taking people into a classroom and teaching about cybersecurity awareness, it must be done in real environments using unscheduled simulations of typical attacks on a regular basis.”