All organisations are vulnerable to cybercrime, but SMEs typically have far fewer resources to protect themselves. That's why Australia's Cybersecurity Strategy 2020, which includes assistance to small and medium enterprises (SMEs) to grow and increase their cybersecurity awareness and capabilities, is welcome.
According to research by the Australian Cyber Security Centre, a large proportion of Australian SMEs have inadequate cybersecurity practices and don't fully understand underlying threats and vulnerabilities. This is not surprising, as 97% of Australian businesses have less than 20 staff, and may not have full-time IT staff, let alone IT departments and security specialists.
While 62% of respondents have experienced a cybersecurity incident, and 80% rate cybersecurity as ‘important' or ‘very important', almost half spent less than $500 per year to protect themselves.
Those that outsourced IT security typically believe they are better protected than they are, and almost half of SMEs rated their cybersecurity understanding as ‘average' or ‘below average'. One in five businesses did not know the term ‘phishing'.
Government support in the 2020 strategy includes providing security information and cybersecurity tools/products to SMEs as well as a dedicated online cybersecurity training program. It's a good first step, but several further measures could be taken to better protect smaller businesses.
Dedicated SME ambassador
Having someone solely focused on SMEs is vital because larger businesses have a significant capability in security already, whereas smaller companies don't.
New South Wales already has a cyber ambassador - but it's a voluntary role, which ultimately limits its effectiveness. Ideally, there would be a dedicated SME cyber-ambassador at a federal level: someone who represents SMEs when it comes to cybersecurity.
The focus would be on education, leading different programs and projects and looking at new think tanks and research groups on how we deal with increasing cyber threats to SMEs, whether from state actors, cybercrime or various activist groups.
SMEs need someone to advocate for them, someone who is visible and involved in tangible deliverables.
Dedicated SME hotline
A dedicated line for SMEs for reporting threats and seeking advice would preferable over a shared hotline.
Instead of a central desk where you get a kind of one-size-fits-all solution or services, a dedicated hotline would be a much more targeted service for SMEs than they're currently being offered.
Tax-deductible cyber training and tools
The government could offer training and make specific key cybersecurity products and services for SMEs tax-deductible.
This would establish cyber-capabilities for businesses to defend themselves as part of the ACSC and JSCS (the joint cybersecurity groups). Overall, a much more tailored program is needed for SMEs in the global watch program, with issues targeted explicitly to SMEs.
More programs for industry cooperation would be useful, with different SMEs working together and cooperating on different security programs to increase their own capabilities.
The aim is to build security capability across the private sector in SMEs areas where it hasn't effectively existed before. All businesses are becoming digital, so their attack footprint and size is exponentially increasing, but they are not growing their cybersecurity capability.
And this is a real problem not just for these businesses, but for Australia. Not having the right protections in place leads to loss of revenue and loss of jobs, and this is something that needs to be improved upon.
Many SMEs are on a knife-edge right now, and the smallest thing will put them out of business for good. Even a small cyber attack can be cataclysmic.