Multi-factor authentication is just one of eight things small and medium size businesses should be doing to protect themselves against cybercrime.
Malware, ransomware, data breaches, payment redirection scams, phishing – Australian businesses are increasingly under fire from bad actors in the cyberspace.
The average loss to Australian businesses from cybercrime is $45,965 for small businesses and $97,203 for mid-size ones, and it continues to rise.
Yet, almost half of businesses of this size report spending less than $500 on cyber security each year, according to a survey by the Australian Cyber Security Centre (ACSC).
The ACSC suggested this may be due to many SMEs likely taking “a DIY approach”.
IP Partners service delivery manager Jonathon Wilson said phishing is now the most used entry point for cyberattacks on SMEs.
“In the early days of ransomware, people unwittingly opened documents with macros or opened attachments in emails,” Wilson said.
“These days, criminals use information from LinkedIn, Google and previous data breaches to come up with authentic looking emails to trick staff into clicking, which accidentally grants access to an application or download to run on their computer.
“Password reuse is the other common method, where someone who uses the same password everywhere is caught up in a data breach.”
IP Partners looks to the Australian Signals Directorate’s Essential Eight as a baseline for cybersecurity for its clients.
The Essential Eight provides businesses and government entities with “a hit list of the things they need to hit at a minimum to shore up security in their computer systems” Wilson said.
“It is the Essential Eight – it’s not the entire list, there’s a much larger list that it’s derived from – but it’s the understanding that, especially for small business where funds are not infinite, you have to start with the core stuff.”
Easy wins include implementing multi-factor authentication – which Wilson said will “single-handedly deliver most businesses” the biggest lift in security – plus regular backups and using different passwords for different software systems.
However, after that, businesses are likely to need assistance.
“While the Essential Eight does give you a security matrix and an idea of what needs to happen, you do need to have a certain level of expertise to be able to implement it properly,” Wilson said.
The ACSC noted that “in addition to making it harder for adversaries to compromise systems, implementing the Essential Eight Mitigation Strategies can be more cost-effective for [SMEs] in terms of time, money and effort than having to respond to a cyber security incident”.
IP Partners senior service desk analyst Pasquale Acitino said the company also added further layers of protection for their clients across Australia.
“Essentially, we have an auditing process we take our clients through,” he said.
“If we feel like there are improvements needed, we will put that in our recommendations, which align with the Essential Eight and our own best practices that we’ve developed.
“We’ve got a team of technicians with different skill sets and everyone’s collectively put their brain power together [to] be able to protect businesses.”
The managed services provider often picks up new clients after a major cyberattack is reported in the media, or after a business has experienced their own security breach.
However, sometimes that breach is due to low security elsewhere in the supply chain.
“We work with a company that provides building materials and a number of times their customers have been breached,” Wilson said.
“The trades people might lack security on their personal Hotmail or Gmail that they use for business, and our customer has sent invoices for $20,000, $30,000 $40,000 of building supplies.
“Someone’s logged into that trades person’s mailbox and edited those invoices and received the payment, and depending on how that happens, sometimes the bank can’t call that money back either.
“When you realise that some poor tradie has sent 40 grand somewhere it shouldn’t have gone, no one wins in that scenario.”
The increase in remote working has also added to the risk, with laptops being stolen from homes and cars; while timesaving macros for Excel also offering a vulnerability.
Training for sole traders and bigger businesses is obviously one response and some companies use a cyber security awareness training system, including fake phishing emails to assess the training’s effectiveness.
Taking out insurance to cover losses from cybersecurity incidents is another.
Wilson said the second is likely to depend on the first.
“In many cases, you may not be able to get coverage without the training system, or if you can, you will have a higher premium.”
Businesses with an annual turnover of more than $3 million have an obligation regarding data handling and reporting of breaches and risk being fined millions if found to be negligent. This obligation and penalty may soon extend to the smallest businesses too.
Wilson said perhaps the biggest thing SMEs risked in not addressing the Essential Eight were their reputations.
“Optus and Medibank are very large and they can take a hit when it comes to clients and customer trust to some extent,” he said.
“If you’re a smaller business, depending on the nature of the breach and which information ends up on the dark web to be sold for identity theft, that could cause reputational or business damage that you just don’t recover from.”
Closing the door to cyber criminals using the Essential Eight plus best practice strategies gave the best defence, said Wilson.
“At the end of the day, the safer our customers are, the better I can sleep at night.”
Contact Austbrokers Terrace and speak to our specilaists to assist you and your business.
Source: InDaily