Why Most SMEs Don’t Worry About this Risk, But Should

Posted on

Cybercrime costs the Australian economy $42 billion annually, says the University of NSW. It estimates just one-fifth of online crime is reported.

The rise of cyber threats

Last year, reports of cyber attacks such as ransomware, rose by 105% globally, but cyber experts don’t yet understand the reason for the upturn. It could have been due to more people working remotely or companies paying ransomware demands, spurring further cyber hackers activity.

It’s blackmail. A cybercriminal can install ransomware once they’ve successfully entered your computer network via an email attachment or other vulnerability. This will encrypt your computer files so you can’t access your system, with the criminals demanding payment for the encryption keys. You’ll be on edge, not knowing if or when they’ll publicly release your business and personal data.

Many SMEs don’t think they’re at risk

SMEs represent 97% of Australia’s businesses and range from sole traders to organisations with up to 200 staff.

SMEs know cyber risks are increasing, thanks to the Russia-Ukraine war and more employees working remotely. But, recent survey found that about four in 10 such business owners said they assumed large companies, such as multinationals, were more likely targets.

That’s despite almost half of Australia’s small businesses being vulnerable to cyber attacks, says Business Australia.

As well, SMEs tend to:

  • Have a limited IT budget, resources, and staff to identify and manage cyber risks
  • Opt for free and built-in security tools rather than specific security technologies
  • No know where to begin in identifying security weaknesses
  • Underestimate risks
  • Think they can’t justify investing in cyber insurance, and
  • If they do outsource IT security, they assume they’re better protected than they really are.

Most common threats to SMEs

According to industry surveys, SMEs are potential targets for:

  • Malware such as ransomware
  • Phishing attacks
  • Data breaches, and
  • Distributed denial of service attack
  • Zero-day vulnerabilities
  • Advanced persistent threats that keep ‘knocking’ until they come in
  • Human error, including your staff attaching the wrong file to an email or your phone being stolen.

Even something as simple as the availability of a new domain name category that drops the ‘com, gov, net, org or edu’, is risky, says the Australian Cyber Security Centre (ACSC). It means anyone with a local Australian connection could register a website just like yours to confuse customers. Check the ACSC’s advice about how to manage this risk – the deadline is 20 September.

The ACSC says many SMEs are unaware of effective and inexpensive practices to protect them against cyber incidents.

Why you should be vigilant

Your business could be vulnerable to an attack at any time with the risk of considerable costs. The fallout could be financial loss resulting from money or information stolen as well the disruption to your business.

Your company is also at risk of reputational damage and so are those companies you rely on to do business if they’re also affected. It will be costly to revive your infiltrated systems and you’ll lose time reporting the breach to authorities in the instance a privacy breach has resulted in customer information being compromised.

Aim to keep a step ahead of these bad actors:

  • Ensure you ‘patch’, that is, update your software regularly
  • Use multi-factor authentication to protect your access to your accounts
  • Back your data up regularly to an external hard drive or the cloud
  • Check out leading endpoint detection and response tools
  • Keep your antivirus software current
  • Invest in hardware security keys that are physical
  • Join the news feed from the Australian Cyber Security Centre.

Cyber insurance

You can also bolster your risk management by investing in cyber insurance to protect your data and those of your customers and suppliers. It covers your business for various risks concerning your information technology infrastructure and activities.

A typical policy covers you for:

  • First party: Financial losses your business suffers due to a cyber incident, including business interruption resulting from computer system downtime; the costs of regulatory investigations and fines; payment card breaches; lost data recovery costs
  • Incident response: You’ll have access to an expert to help your business recover from a breach. Included are legal advice, privacy breach management, IT security and forensic services costs, responding to regulatory inquiries, and helping mitigate reputational damage.
  • Third-party liability: Where a client or other suffers a loss for which your business is liable. This includes virus and malware transmission, identity theft, privacy breaches, unauthorised access to a third party’s or your computer system, and media liability, plus
  • Crime: Covers your business against losses from cyber blackmail, funds transfer fraud, identity theft against your company and telephone hacking.

For more information and to discuss the particular needs of your business for cyber protection, contact us for guidance and recommendations.