How To Keep Your Small Business Safe From Cyberattacks
The cost of cybercrime to businesses in Australia is rising exponentially, costing Australians an estimated $1 billion each year. The average cost to a business, per attack, is $276,323 and 53 per cent of that cost is spent on detection and recovery rather than prevention. Web-based and insider attacks make up around half of the breaches companies experience. Between 2016 and 2017, reports to the Australian Cybercrime Online Reporting Network (ACORN) indicated that the cost of cybercrime in Australia had increased by more than 230 per cent.
These statistics illustrate that the risk and the cost of being attacked by cybercriminals is growing exponentially. The cost to your business comes from business disruption, information loss, revenue loss, productivity loss, and equipment damage. This can be compounded by reputational damage if the marketplace finds out about the security breach.
Furthermore, the new addition to the federal government’s Privacy Act requires businesses to report certain data breaches to the individuals concerned and to the Office of the Australian Information Commissioner (OAIC). Known as the mandatory Notifiable Data Breach (NDB) scheme, the legislation calls on businesses to help individuals take a proactive role in protecting their private information by informing them if a breach has taken place that is likely to cause serious harm. The definition of serious harm isn’t limited to financial losses and includes psychological, emotional, and reputational damage that the person might experience as a result of their information being accessed by unauthorised parties. Failing to comply with this legislation can result in significant fines and civil penalties.
Yet, despite the growing momentum towards cybersecurity awareness and protection, too many Australian businesses are taking a laissez-faire attitude to cybersecurity. Research has shown that almost two in three SME owners feel well-informed about the risks of cybercrime, and 80 per cent of SME owners feel their business can respond to a security breach. This makes these owners more confident than some ASX-listed companies, which have the funds and resources to employ highly-qualified security professionals. Worryingly, SMEs don’t prioritise cybercrime and are more worried about managing overheads and expenses, chasing payments, and protecting cash flow, competing in the marketplace, and political uncertainty. This could demonstrate that they’re underestimating the potential ffects of a cyberattack on their business. Yet, athe statistics demonstrate, the effects of a cyberattack on a small business can be devastating. The extent to which a business can fully recover from a security breach depends, of course, on the nature and severity of the breach, along with the organisation’s response capabilities. A company that falls victim to a ransomware attack, for example, may be able to continue operating without much inconvenience because all the organisation’s data is backed up and the business can immediately switch over to the backed-up version of its data and keep operating.
However, a denial of service attack is often the most expensive kind of attack, which can prevent a business from operating altogether until the problem is rectified. The average time to resolve an attack is 23 days, which is a long time for a business to be unable to operate at full capacity. Many small business owners fail to appreciate the risk facing their business because they assume a small business isn’t an attractive target for cybercriminals. However, when that small business is part of a franchise, it becomes a much more lucrative and attractive target. Gaining access to one part of the network often makes it possible to access the rest of the franchise’s systems so cybercriminals can harvest credit card details, steal information, carry out ransomware attacks, or sabotage the business.
For example, franchisees often use some IT solutions that are supplied by the franchisor, such as point of sale systems. However, franchisees often use their own HR software, along with rostering, timesheets, and payroll systems, all of which contain sensitive information about staff. This is of particular concern given many franchisees employ minors, and these personal details could be at risk in a security breach.
According to the Australian Cyber Security Centre 2017 Threat Report, many of the incidents that Australian businesses have experienced could have been prevented if the organisation had employed established and straightforward cybersecurity measures. Many attacks use publicly-known vulnerabilities that should have been patched. This highlights how easy it should be for businesses, regardless of size, to reduce the risk of being significantly affected by a security breach.
The first step is to understand that, even if your business or franchise hasn’t yet been hit by a cyberattack, it’s only a matter of time. Cybercriminals enjoy a high reward versus the risk they take: it’s difficult to personally identify cybercriminals and they can potentially reap big profits from their activities.
All it takes is for a business to send or receive payments online, use email, or store customer records electronically. This all creates a digital footprint that can lead cybercriminals straight to you. If you also have an online presence through a website and/or social media page, the risk increases. Yet it’s impossible to do business in today’s digital era without these online capabilities.
There are six basic steps you can take to keep your business safe:
1. Share information sparingly
Many businesses rely on social media to advertise and market their business. In looking to create and maintain individualised relationships with customers, businesses can unwittingly make it easier for cybercriminals to successfully target the business. As business owners become more securitysavvy, it’s harder for cyberattackers to gain access to the network by brute force or traditional hacking techniques. Consequently, social engineering techniques are growing in popularity. These techniques use small amount of personal information, usually gained through social media accounts, to trick a person into thinking they’ve received an email from a trusted colleague or boss. The email may direct the recipient to transfer money into an account, as happened to one US business to the tune of US$500,000.7 Or, the email could include a link that looks legitimate but actually takes the recipient to a spoof website at which they’re instructed to enter their username and password. Once that happens, the cybercriminal can use those credentials to log into the system and cause damage or steal information. Your company’s social media pages can provide a great deal of information that cybercriminals can use to attack the business, such as details of a new deal, new product, or company restructure. It therefore makes sense to think twice about the information shared via social media.
2. Patch everything
Most apps have bugs or vulnerabilities that hackers can use to gain access to a company network. Patches are pieces of code that fix those vulnerabilities. They’re released regularly by software developers, so businesses should subscribe to the mailing lists for all the company’s operating systems, infrastructure, and applications, then apply patches as soon as they’re released. Too many successful attacks happen as a result of businesses failing to apply the most up-to-date versions and patches.
3. Don’t neglect anti-virus
While the proliferation of different types of attacks can make anti-virus tools seem old-fashioned, the truth is that anti-virus tools can detect and defend against many socalled zero-day attacks, which don’t yet have patches available. So, it’s essential to invest insophisticated anti-virus software and keep it up to date. Simply investing in the right tools, then adopting a set-and-forget attitude won’t keep your company secure. It’s essential to continually upgrade and patch your security software to ensure it keeps working to protect the business. Cybercriminals move fast, so anti-virus tools can become out of date quickly if you ignore them.
4. Reconsider plugging in and
clicking on
USB sticks can harbour nasty malware infections, so unless your company absolutely relies on external drives, they should be disabled. Similarly, employees should be educated not to click on attachments or links in emails, in case they lead to malicious sites. It’s valuable to create a company policy around things like emails with links, then make sure everyone in the organisation is aware of it. Simply making it clear that an employee will never be asked to enter their credentials in an email could prevent employees from falling for a social engineering or phishing scam
5. Protect information
Often, malicious actors get information because staff members have either accidentally or deliberately shared it. Staff should be educated regarding what’s safe to share and what should be kept in confidence. All data should be backed up regularly to protect it in case of a disaster. Then, if a hacker tries to deploy ransomware, the business can simply revert to a backed-up copy of the data and operate as normal.
6. Use strong passwords
Passwords can be all that stands between a cybercriminal and an organisation’s entire network. It’s important for employees to use strong passwords, two-factor authentication, and different passwords for ifferent systems. All it takes is for a cybercriminal to crack one password and the entire network could be vulnerable.
All businesses operate in a digital world. To stay safe, you need a robust cybersecurityframework. Working with the right partner can help you secure your business.
Kerry Tang is a cybersecurity professional with experience in security risk assurance and evaluations, who provides expertise to clients primarily in financial services. Kerry also delivers cyber security ervices and consulting, including designing, customising and managing security for business environments and data. Aleron was established in 2010 to provide skilled and experienced information security consultants and engineers. Aleron provide IT security consulting, technical implementation and staff augmentation to deliver a variety of specialised security skills and functions. Aleron provides cyber security services across multiple industries including financial services, retail, construction and education. Some key clients are CBA, Westpac, McDonald’s, Woolworths, Coles FS, Superannuation, and Insurance companies.
www.aleron.com.au