How SMBs can protect themselves, staff from cyber threats
The internet is not getting any safer and cyber threats are evolving every year, making it even more difficult for businesses, especially SMBs, to navigate.
The Australian Cyber Security Centre receives one cybercrime report every 10 minutes from individuals and organisations, with the average cost of cybercrime to a business in Australia around $276,000.
Smaller businesses have no special immunity to cyber attacks. Cybercriminals are increasingly targeting SMBs as "easy pickings" - whether to steal customer data or hold computer networks to ransom. In many cases of ransomware, the only option is to pay up, or go out of business. In Australia and New Zealand, 91% of managed service providers reported attacks against SMBs, according to a Datto survey - the highest rate globally.
Even more alarmingly, 80% of Australian SMBs targeted by a cyber attack go bankrupt within 12 months, as reported by the NSW Business Chamber.
There are also serious legal risks for failing to protect customer data which carry heavy financial penalties, not to mention reputational fallout.
Australia's Privacy Act 1988 was updated in February 2018 with the mandatory data breach notification regime. This makes businesses publicly accountable for data breaches which may result in "serious harm", with fines up to $10 million for the worst cases.
Effective cybersecurity requires a three-pronged approach:
1. Technical - have the best solutions and most secure devices deployed
All SMBs should secure devices and their network with the most robust security solutions available and keep them updated. This includes having a firewall.
It's also important to monitor the use of devices and set administrative privileges, so only authorised people can access sensitive data. Encrypt important information and require strong passwords for any access to company network/files.
If IT or social media is outsourced, make sure the business has full control of logins and passwords, not the external provider.
2. Policy - set rigorous policies and processes, such as backups and DR
Ensure regular backups of your data and your website, to multiple locations. Backing up your website is all the more critical if your business transacts online. Daily incremental backups to a portable device and/or cloud storage are advisable, with weekly server back-ups.
Protect your customers by being compliant with data protection and privacy laws - not only in Australia, but also those of other jurisdictions you may transact in. The European Union's GDPR (General Data Protection Regulation) has international reach that affects many Australian businesses, including SMBs. Prepare a data breach response plan so you are ready if the worst happens.
(As long as a company offers goods or services – free or paid – to EU residents, or monitors or tracks their behaviour online, GDPR applies.)
3. Education - ensure that everyone is on board and able to use devices safely
Your staff are your business' most important and last line of defence. It's important to make sure they're aware of the threats they can face online and the role they play in keeping your organisation safe. More than a third of breaches in the first year of the notifiable data breach scheme were attributed to human error, such as sending emails to the wrong recipient).
Educate employees about safe internet use so that they comply with the policies put in place to protect them. Be particularly cautious about portable USB sticks and external drives. If people regularly bring in files from home to print, consider making a computer/printer available for this that's separate from the main network.
Another aspect is insurance. Only around 15% of Australian SMBs are covered by insurance against cyber-attacks - even though cyber-attacks are far more likely to happen than other emergencies such as fire and flood, or even physical theft, according to the NSW Business Chamber.
To ensure your business stays safe as threats and regulations continue to evolve, conduct a regular cyber and data privacy compliance audit, as well as a cybersecurity review. A good starting point is the Australian government's Small Business Cyber Security Guide.