The past few months have been filled with change for small-business owners. Some businesses have pivoted, some have evolved and some have had to pause operations altogether.
But despite a surge in remote work, one thing that hasn’t changed is the lack of cybersecurity awareness and protection in small businesses. Last year, nearly half of Australian SMEs spent less than $500 on cybersecurity, despite the ACCC’s Targeting Scams report showing businesses lost $132 million to scams in 2019. COVID-19 has only exacerbated these vulnerabilities, with SCAMWATCH reporting over 3300 scams since the pandemic began earlier this year.
Cyber criminals and scammers don’t discriminate on size – they can hit you and a thousand other small businesses at the same time. There’s also a lot of outdated thinking around the obviousness of scams, e.g. Nigerian princes. You might think you’d never fall for an email scam, but if the email comes from a known work contact, mentions a project or client you’re familiar with and has a sense of urgency, you might not see anything unusual in the interaction. Some cyber criminals will monitor a target email account for weeks to understand your contacts and communications style, and then use it to their advantage.
In the move to remote work, small businesses have (understandably) needed to prioritise the ability to continue operations rather than cybersecurity concerns. In reality, that’s not the case without some configuration, and things as simple as password strength will have a huge impact on the security of using these technologies.
Consider how you are using each individual technology platform, particularly if it’s replaced a manual process eg; writing phone numbers down or passing on banking information. When you’re all in different locations you’re much more reliant on technology, and each time you use it is increasing your risk.
99 per cent of cyber attacks require human interaction in order to succeed, which makes you and your team the best (and worst) cyber defence your business has. People have idiosyncratic approaches to technology, and when everyone is working remotely, there’s added complexities around the safety of their home network system and how they are accessing your office systems.
To tackle this side of cybersecurity, understand what data you have, what is valuable, and how is it accessed by the team? What have you done to make it easier for your team to be more cyber fit, and what support do they need to get their individual risks down pat. It could be implementing two-factor authentication for all company systems, requiring minimum password strengths, or running some team training on the cyber risks of working remotely.
While taking action on cybersecurity is important, it also doesn’t have to take lots of time or money. Instead, you should plan to take small, incremental steps to improve your cybersecurity on a regular basis.
When you want to get fit, you don’t join a gym, go for 24 hours and then become fit immediately; it’s a process and takes time. Cyber fitness is the same, you just need to improve every day. Entering the world of cybersecurity can become overwhelming pretty quick, so look for a program or supplier that will help you get a good, quick grasp on your business’s unique risks and develop a routine that will help you get an initial idea of what you should do, and implement gradually and sustainably.
Susie Jones, Co-founder and CEO, Cynch Security