Why security matters for SMEs in a cyber world

With virtually every aspect of business involving a degree of automation and online connectivity, cyber security has never been more important. Experts say that for every business, a cyber attack is a matter of when, not if. So how can SMEs safeguard their data and operations?

Is this a problem for SMEs?

While media attention is given to the effects of hacks and viruses on large companies and government departments, it is actually small businesses that bear the major cost of cyber attacks.

Indeed, one of the most commonly attacked industries, where data, rather than money, is the desired treasure, is health services. My Business even heard recently of a cyber attack against a neighbourhood veterinary practice.

“I can confirm that this is happening. I’ve been developing websites for small businesses for years and the amount of sites infected with malware is going up. I’m the one that has to deal with it, and it’s very annoying,” said reader ‘morktron’ on the My Business website.

Jenny Thornton, partner at law firm Clyde & Co, and her colleague Tim Searle, told our sister publication Lawyers Weekly that SMEs actually appear to be more of a target than their larger business counterparts, given their more lax standards of cyber security and the high-volume, low-value nature of the attacks fraudsters are able to get away with.

“One of the things we’ve been talking about is that a lot of the encryption attacks – where they put in this malware that effectively locks up the data for a ransom – I always suspected that those would be with larger companies. But apparently the bulk of those cases are small-to-medium businesses, and especially not-for-profits. The hackers are asking for just $1,000,” Tim said.

Jenny added: “It’s often between $200 and $600 and it’s day care centres or small community organisations; you don’t hear about [these hacks] – they’re not registered”.

Australian Small Business and Family Enterprise Ombudsman Kate Carnell is also vocal on the issue, stating that an alarming trend has emerged of SMEs’ websites being breached by Islamist extremist sympathisers.

“Latest statistics reveal 84 per cent of small-to-medium businesses (SMEs) are online, with one in every two SMEs receiving online payments,” she says.

A close up of a computer monitor, with a mouse hovering over a clickable button that says 'security'“Recent reports of small businesses having their websites breached with disturbing pro-Islamic State messages reinforce the importance of cyber security in this digital age.

“Small business owners need to make sure they are aware of cyber risks and have measures in place to prevent and respond to attacks. This includes drawing up an online security plan, ensuring their point-of-sale systems are protected, backing up their data and implementing robust password practice.”

“I urge all businesses, including SMEs, to undertake some level of self-assessment on a regular basis in order to understand their cyber risk exposure and their ability to respond to and recover from a cyber incident.”

What hackers look to exploit

“Hackers are particularly lazy … unless they have a particular beef with your company,” explains Angela Bunting, vice-president of eDiscovery at data security firm Nuix.

“You’ve got to think like a hacker.”

Human error is the most common area hackers seek to exploit. Sadly, even the most minor of oversights can leave a business exposed. Yet the upside is that errors are easily rectified or avoided, provided they are front of mind among yourself and your employees, and the ramifications are made clear.

Common mistakes include leaving passwords written down or saved erroneously, failing to terminate employees’ access once they leave the business, and clicking on links or attachments from unknown sources.

Other easily avoidable mistakes, on which hackers set their sights, include failing to regularly update passwords, using the same password across multiple accounts and networks, and using weak usernames and passwords (of which ‘admin’ and ‘password’ are still two of the most common globally).

Phishing attacks are also common, tricking people into believing a link is legitimate when in fact it masks a scam or otherwise deceitful intent.

A report published in 2014 by McAfee Labs suggested that a staggering 80 per cent of people failed to detect even one out of seven phishing emails. Worse still was the fact that those working in finance and HR – the areas controlling the majority of data within a business – were the least able to detect scams.

Keran McKenzie, platform evangelist at MYOB, added that there is often a failure to adapt security processes over time.

He said business owners often bring in new technology and think they are covered, but “they fail to look retrospectively at their old tech, and it’s that old tech that is vulnerable”.

However, SME operators shouldn’t think they are alone in the struggle to maintain data security and privacy.

“Organisations large, medium and small all struggle with this issue of risk,” said independent consultant Rob Livingstone.

As Angela points out, not all hacks are about financial gains.

A person wearing a hoodie and holding a computer tablet“A hack isn’t always about taking data away,” she says, highlighting the high-profile case of Ashley Madison, the Canadian-based extra-marital dating website.

“It was a social hack – they didn’t like the way the company operated.”

In that particular instance, the data collected – including its users’ identities – was gradually made public as a means of damaging the company and its users.

Prevention the best form of defence

Recognising the importance of working on the prevention of cyber attacks, the federal government earlier this year unveiled significant funding for a major new cyber-security strategy.

“The federal government’s investment of $230 million to enhance Australia’s cyber-security capability demonstrates the scale of the issue at hand and a clear focus on meeting the challenges of the digital age and protecting all Australians online,” BDO risk advisory partner Leon Fouche said at the time of the announcement.

However, he said that businesses are ultimately responsible for maintaining their own defences.

“While the federal government is leading and innovating, businesses need to ensure their security practices are robust and up to date, and to better educate and empower employees to use sound online practices.

“I urge all businesses, including SMEs, to undertake some level of self-assessment on a regular basis in order to understand their cyber risk exposure and their ability to respond to and recover from a cyber incident.”

According to Joel Camissar, Intel Security’s Asia-Pacific director of service provider, MSP and cloud business, the most basic form of prevention is to actually know and understand where your online data is being stored.

He says that in a recent survey of 452 Australian businesses, 37 per cent had failed to even check whether their cloud provider complied with the basic standards outlined in the Australian Privacy Act.

Joel suggests that any business looking to employ cloud-based services should research the provider first, including finding out about its public reputation, where its data servers are located and whether it is fully accredited.

Neil Stollznow of StollzNow Research, who conducted the research on behalf of Intel Security, said the most surprising finding was that in profiling businesses’ attitudes to cyber security, the survey actually educated many about the need for such measures.

“Your survey raised issues I will discuss with our CIO – thank you,” one respondent replied.

“It’s a bit scary when your questionnaire educates people [rather than profiling them],” says Neil.

It is also unwise to put all your faith in preventative technology, because the most basic of oversights can circumvent even the most expensive and sophisticated systems.

Real-world examples include one company where the door to a secure data room was held open by a rubbish bin, and another with cutting-edge digital security systems in place, but with boxes of hard-copy files left unattended in the reception area.

Coping with a security breach

  • The problems associated with a security breach are extensive. These can include:
  • Financial theft.
  • Reputational damage.
  • Publication of sensitive documents and data.
  • Loss of customers.
  • Inability to trade for a period of time.
  • Reduced SEO recognition.
  • Adverse media coverage.

According to Intel Security’s solution architect Andrew Hurren, any business owner who becomes aware of a cyber attack or hack against their network or website should take the following steps:

  1. Put a plan in place beforehand to outline your response, and follow it when an attack occurs.
  2. Investigate the nature of the breach, its source and its ramifications.
  3. Don’t seek retribution against the responsible entity – this will either make the situation worse or simply be a waste of your time.
  4. Report the situation to your security provider, the Australian Cyber Security Centre (ACSC) and, if necessary, the police.
  5. Be careful not to delete evidence that may restrict a legal case against the assailant, or limit your security provider’s ability to adapt to the threat.

Did you know?

  • Intel Security says there are 71 million attempted installations of unwanted programs each day – just among its own customer base.
  • There are also 1,200 attempts at clickbaiting to risky URLs every second.
  • 70 per cent of cloud-based data is personally identifiable.
  • 48 per cent of businesses store network passwords on the cloud.
  • 38 per cent of Australians are reluctant to recycle electronic equipment due to data security fears.

Sources: Intel Security and ANZRP

promoted stories