Businesses across the world were horrified by the tsunami of cyber security breaches that dominated the news recently. Such breaches can cripple organisations and the threat is increasing. Hackers are taking advantage of modern connectivity and increasingly targeting mobile devices. Everyone is at risk, so it pays to be vigilant.
According to the Federal Governments “Stay Smart Online” web site: (www.staysmartonline.gov.au), 60 per cent of all target attacks struck small and medium businesses, with an average cost of $276,363. The effect of such costs are far more significant to SMEs than to larger organisation.
Still, the following five cost-effective steps can minimise the disruption and potential losses from a major breach.
1. Cyber security isn’t an IT problem – it’s a people problem
The SME sector often struggles with large-scale budgets for implementation of high-end security controls. Staff are already inside the security framework and access can easily be exploited to bypass such controls.
Therefore, the security role played by organisational staff is crucial. Staff actions may not be intentionally malicious, but breaches can occur through access gained via phishing emails, for example. Personal devices like smart phones can also prove potent weapons against the unwary.
Small and mid-market businesses usually commence with a tight-knit group of key people who trust each other implicitly. As the business and the workforce grows, control measures can fall by the wayside.
IT based controls and security requirements can change but user education remains a critical line of defence. An outsourced IT security provider may not cover this critical area of user education: you need a human firewall.
2. Don’t forget your business partners
For many SMEs, IT operations are often outsourced. Security is often seen as just another IT component and left to the providers.
Many SMEs are also third and fourth party providers to larger organisations. With the new mandatory disclosure legislation, organisations are coming under increased scrutiny. Smaller providers will need to bring their security controls up to levels acceptable to their strategic business partners.
This is important, because the potential financial, regulatory and reputational impact can be significant. It pays to be prepared.
3. Take control – get informed
The Australian Signals Directorate (ASD – www.asd.gov.au) provides free information regarding basic cyber security measures. Their website claims 80 per cent of common cyber attacks will be prevented by implementing their guidelines.
Understand the cyber risk to your business – protect from the inside out. Start with the “Crown Jewels” of your business: key assets, such as intellectual property, manufacturing processes or strategic plans, that require additional layers of protection. Then, work your way out to broader business operations.
Get staff involved – educate them about current cyber risks and how they can help. This will be particularly useful in modern, agile work environments or if they connect work devices to their home or other networks.
4. Have a well-prepared response plan
What will you do if the worst happens? You must put an incident response plan in place so people know how to react. Decisions made in the first few minutes can save you a world of pain and suffering, not to mention financial and reputational damage. The response plan should at the very least cover what to do and when, who to notify, how to get support and how to get the business back to normal operations as quickly as possible.
You also need to understand your legal obligations and rights when dealing with outsourced IT security providers.
5. Make sure you’re adequately insured
Understand the risks you’re trying to mitigate and have a policy that adequately covers them.
An initial cyber maturity assessment is a good start. This will provide an understanding of your organisation’s individual risk profile and how it stacks up against its peers. As with many insurance discussions, the more you know about your compliance position and the security controls in place, the larger the impact on premium costs.
Stan Gallo, Partner, KPMG Forensic
Stan Gallo will be speaking about cyber security at the Family Business Australia breakfast event in Perth on 22 June, more information on which is available at: http://www.fambiz.org.au/event/kpmg-breakfast-game-cyber-crimes-family-business/?instance_id=2102
The Family Business Association is valued partner of Inside Small Business.
