According to a recent report by BCG (Sept 2021), 77% of cyber attacks are due to human failure with negligence or phishing accounting for three quarters of attacks and only a quarter caused by technology. This can be a major issue for small businesses that don’t have the resources to properly invest in cyber security training for their staff.
The pandemic has seen a large increase in the number of people working from home which has given hackers new opportunities to exploit vulnerabilities in unsecured technologies and prey on unprepared workplaces.
Cybercrime is a huge issue in Australia, currently costing the Australian economy around $3.5 billion a year. Globally the cost is set to rise to $2Trillion by the end of the year, up from $400B in 2015. Any business, big or small, is vulnerable to cyber-attacks. But for small businesses, even small-scale cyber attacks can be incredibly damaging. They can severely impact how a business is run, wreaking irreparable financial and reputational damage.
Misinformation and ignorance around cyber security are a big part of the problem. A report from the government’s Australian Cyber Security Centre (ACSC) found almost half of SMBs rated their cyber security understanding as ‘average’ or ‘below average and had poor cyber security practices. One in five SMBs did not know the term ‘phishing’. Many businesses were unaware of the threats they face, with SMBs who outsource their IT security believing they are better protected than they really are.
Small businesses should not and cannot treat cyber security as a “wait and see” situation. It needs to be planned and implemented well in advance of an attack, and shouldn’t merely be put in place to tick a box.
In order to better protect themselves from an attack, small businesses must understand what they’re up against. There is a huge range of ways that a business can be attacked including trojan, typosquatting, keystroke logging, insider threats, malware, phishing, ransomware, and spear phishing.
Take the time to learn the techniques and best practices for each form of attack. For example, typosquatting is a technique where the perpetrator uses a lookalike name: Google.com might become Goog1e.com or Gooogle.com. The victim can easily miss the spelling mistake and assume the email or website is legitimate, and potentially reveal sensitive payment information.
For phishing, be cautious about all communications your small business receives, don’t open any attachments contained in a suspicious email, and never enter any personal information on a pop-up screen.
In order to deeply ingrain these lessons into your team, share examples and scenarios based on the roles and responsibilities of individual staff members. If you’re training an accounting team, for example, share examples of what can go wrong if an email account becomes compromised. Run scenarios where staff inadvertently transfer funds to hackers who are impersonating their vendors, partners, or clients.
Managed security monitoring, detection and response services, annual security penetration testing, multi-factor authentication and passwordless technologies are all great ways to fight cybercrime. Rotate passwords at the very least every 60 days, although every 30 days is even better.
Multi-factor authentication (MFA) adds an extra layer of security by using two or more pieces of evidence to log in to a single location. Examples include an SMS message, phone call, or authenticator app to verify a browser login.
MFA isn’t a failsafe security method, but it does add another layer of protection against online identity theft and other online fraud since a password alone is no longer enough to give the attacker access to their information.
In order for small businesses to protect themselves, the weak spots must be identified and eradicated before an attack occurs. This is especially true for online businesses that store a lot of and customer data digitally.
With a strong cyber security model in place, your business should find itself in a much stronger position to protect itself from predators when an attack finally happens. Because in the world of cybercrime, it’s not a matter of if, but when.
About the author:
Ajay Unni has over 30+ years’ IT industry experience, with over 15 years as a cybersecurity specialist. He is the founder of StickmanCyber, a business that helps companies mitigate their cybersecurity risks. Ajay named the company after the countless stick figures he used in flow charts, throughout his years in the software and cybersecurity industry.
Ajay was selected to join the 2020 NSW Government’s Cyber Security Task Force, a carefully curated group of experts tasked with accelerating the adoption of industry standards for cybersecurity across Australia and also contributed to the 2021 NSW Government Cyber Security Strategy. He also sits on the board of CREST ANZ, a non-profit that provides cyber security accreditation for companies, individuals and corporate entities and promotes best practice information security services.