If you think cyber criminals wouldn’t bother to target Australian small businesses, you’d be quite wrong. Banjo explains the risks and what you can do about them.
If your email server, locally stored data or personal information was hacked, it could be one of the most catastrophic things to happen to your business.
The monetary, reputational and strategic cost doesn’t bear thinking about. And so that’s often exactly what happens - we don’t think about it. Instead, we spend a few dollars on a basic security package, and cross our fingers that we’ll be safe.
After all, why would a hacker or other criminal be interested in a small Aussie business – surely they’re too busy attacking the bigger global players?
That’s an all-too-common misconception, says Kevin Mangano, CIO of Vow Financial.
“Having any kind of web presence (email server or website), means you’re almost certainly getting scanned hundreds of times a day by bots programmed by bad actors to look for vulnerabilities.”
The Australian Cyber Security Centre’s latest Annual Cyber Threat Report (2022) states that Australia is attractive to cyber criminals in part because per capita it’s a wealthy country. During the 2021–22 financial year, over 76,000 cybercrime reports were received, an increase of nearly 13 per cent from the previous financial year. That’s approximately one cybercrime report every 7 minutes, compared to one report every 8 minutes in 2020–21.
The Report also says that medium-sized businesses (defined by the Australian Bureau of Statistics as having between 20 and 199 employees) had the highest average loss where a financial loss occurred.
This is often because larger companies tend to have stronger security measures and be better resourced to protect themselves.
Kevin says the second biggest mistake is to under-invest in cyber security by buying a cheap, inadequate package, or cutting corners to save money.
“It’s a false economy to use ‘free’ online tools like PDF converters, or to share passwords instead of buying extra licences. It’s a bit like ultra-cheap car insurance – you wouldn’t trust that, so why would you leave your data and IP open to significant risk?”
“Having any kind of web presence (email server or website), means you’re almost certainly getting scanned hundreds of times a day by bots programmed by bad actors to look for vulnerabilities.”
Good cyber security is often sacrificed earlier in the business lifecycle, perhaps during the Growth stage, when money may be tighter, or perceived as needed to build other areas of the business.
“Where cyber security is concerned, hope is not a good strategy,” says Nirosh Weerasinghe, who runs Finance Circle Group brokers, plus an overseas business that outsources services to brokers in Australia.
“Everyone uses the same four-letter word: busy. They believe they don’t have time to set up all sorts of security measures. But if they’re not properly protected, they’ll eventually get hacked, and will spend way more time rectifying it than they ever would have in setting up the right protections. Not to mention how much else they’ll lose,” says Nirosh.
Nirosh also points out that businesses who collect personal data from customers must always be mindful of privacy.
“Australia has strict privacy laws, for good reason. Make sure you always get customers to sign the privacy form before they provide their ID or financials. Do not accept that sensitive information before you have the signed form from them. And never let them send it to you via email.”
Julian Hedt, CTO of Banjo Loans says there are 4 key actions businesses can take:
- Never send or receive sensitive ID or financial details via email, as it’s the weakest link, security-wise. Instead, have customers or associates upload the data to your CRM or Google Drive, or collect ID face-to face. Have strong email filtering protection, for more than just spam, eg phishing filters and infected document identification.
- Always use two factor authentication (where 2 methods of identification are needed to verify identity, eg a password and a PIN sent to the user’s mobile).
- Use a major Cloud Services provider such as Google or Microsoft – who generally have the most robust systems with state-of-the-art technology - to share data or information.
- Make sure your staff are trained (preferably by a professional) in internet hygiene.
If you think ‘OK I need this, but how can I afford proper cyber security?’, sit down with your broker or accountant and work out how you can use working capital funding to protect your business.
As a general rule of thumb $30-50 per month per employee should buy secure cloud storage from the likes of Google, Microsoft 365 or Dropbox, plus an anti-virus system for each computer used by staff. A training program by a cyber security consultant will be an additional cost, but will give peace of mind that the whole business is covered.
In cyber-security, you don’t know what you don’t know. Investing to secure your business can protect you from a world of pain.