Inspire9

View Original

Cyber security weak points in SME's

Small to medium-sized enterprises are estimated to account for 96% of all businesses in Australia an approximately 40% of all cyber crime targets. Y

Understanding 3 key points could help you avoid being a victim.

Your team is your most important risk exposure, while also being your resources for responding to cyber attack.

  1. Your team;

    In a survey of more than 1000 Australian businesses of all sizes, nearly half of employee respondent admitted they have put the organisations they work for at-risk through the following unsafe activities.

    • Opening an attachment or link in an email from unknown contact

      Phishing is the name for email scams that trick recipients into clicking on a link or attachment, asking them to provide or confirm their personal information, such as passwords and credit card numbers, or to pay a fake account. Recent research shows that one in 728 emails in Australia is a malicious email, as reported by My Business. In 2018 email scams cost local businesses more than $60 million in lost revenue and downtime, according to scamwatch.

    • Downloading apps, software, videos or games without their employers’ permission or sharing viral emails from unknown sources

      Malware can be hidden in any of these downloads or messages, giving cybercriminals access to the system and the information on the network, enabling everything from denial of service ransom demand to identity theft or draining your bank accounts.

      What you need to do

      • Educate your staff about what red flags to look for in terms of unusual requests or demands for payment or information to help enable them to recognise a bogus message when they receive one. Document these precautions and make sure they are part of onboarding new hires. Reinforce this information by reminding your people regularly via clear messages going over what to beware of and how to respond. 

      • Ring-fence your sensitive business information (employee details or financial accounts, for example) by identifying exactly who needs access to what parts of your system. These people and these people only should be able to access those specific areas of your computer network, always via multi-factor logins (identification plus password or phrase). Always revoke this access when someone leaves the company.

      • Establish clear protocols around responding to emails with links or attachments, or requests for personal or financial information. Messages from unknown sources should never be actioned and ones purporting to be from a known source should be checked for legitimacy. Any request for sensitive or confidential information should be scrutinised closely.

  2. Your management;

    Not actioning technical updates

    Both business owners and their employees are guilty of this: simply overlooking or postponing responding to computer notifications and update notices on their computers, software, apps or devices. Regular computer updates are vital as they contain security features to guard against recent viruses and attacks. This process is also referred to as patching and it’s as easy as clicking on a button.

    Not understanding how to protect yourself

    Canvassing Australian small business owners reveals the vast majority (87%) think using antivirus software alone means they're safe from cyber attacks. Using anti-virus software is only one part of a cyber security program and can’t by itself guarantee protection. You should also back up the information stored in your systems to a separate storage device and disconnect it once this is done. This precaution will help you get up and running again much faster after an attack or outage.

    Not having a cyber attack response plan

    Indications are that less than half of Australian businesses have a data breach response plan. For small businesses that don’t have in-house IT expertise this is a recipe for disaster. If you don’t know how to react or defend your systems and information the damage you sustain will be more serious.

    Not understanding your reporting obligations

    A survey by Chubb Australia suggests that only half of Australian small to medium sized businesses are aware of their cyber reporting obligations. Failure to comply with requirements can attract hefty fines, and you may put others – your clients, customers and business partners – at risk.

    What you need to do

    1. You wouldn’t leave your premises unlocked. Follow basic systems security advice. The Australian Government Cyber Security Centre outlines 8 essential actions that every business should take to protect themselves. Outsource this to an IT professional if you’re not tech-savvy yourself.

    2. Have a response plan in place. The quicker you can identify and contain an attack the less damage it can potentially do.

    3. Understand your obligations and the consequences of failing to meet them. If you sustain a data breach, and that breach involves personal information of an individual and the breach is likely to result in serious harm to them then you are required to notify the affected individual and the Office of the Australian Information Commissioner (OAIC). Non-compliance can attract steep penalties of up to $1 million. The OAIC has published a guide to help organisations implement the requirements of the Notifiable Data Breach Scheme.

  3. Your resources

    You have nothing to fall back on if you do get hacked

    Only a quarter of Australian small businesses are believed to have cyber risk insurance. Given that they represent 40%+ of local businesses that get attacked this leaves them wide open to the potentially substantial losses incurred if their systems are hacked: downtime, data loss and legal cases or fines.

    You don’t understand the complexity involved

    If you don’t understand the extent of how a cyber attack could damage your business it’s difficult for you to effectively protect yourself against either the immediate effects or wider fallout.

     What you need to do

    Having standalone cyber insurance means you can respond to a cyber attack quickly, calling in the professionals in the knowledge that the cost of their services and the associated expenses involved in restoration, remediation and reputational damage limitation will be covered.

    Could you identify all the exposures involved in identifying your risk exposures across all of your operations, computer network and devices? Obtaining a complete analysis and recommendations from a cyber insurance specialist who understands your business helps assure you of more complete protection if you are targeted by cyber criminals or your data is compromised through employee error.