Cyberattacks that make headlines usually involve big companies or government organisations, large data breaches, millions of dollars in losses and ransomware attacks. But as serious as those stories are, they tend to be less consequential than the thousands of monthly attacks on Australia’s small and medium businesses.
For small-business owners, cyberattacks can easily be the worst experience of their professional lives and, in many cases, threaten their livelihood. The bad news is that the risk of falling victim to an attack is increasing. Research from the Australian Cyber Security Centre shows that the frequency of successful attacks has grown from one every ten minutes to one every eight minutes this year. Ransomware attacks jumped 288 per cent in the first half of 2021.
The risk for SMEs has increased for a multitude of reasons. The pandemic has pushed many companies to adopt technology quickly to continue operations during lockdowns. Businesses rushed to implement new digital channels to service clients and to communicate with staff working from home. Most SMEs had to do this while fighting for their survival and dealing with enormous operational challenges. This combination meant most companies didn’t have the time or money to think about cybersecurity.
Research from AustCyber shows that over 84 per cent of Australian SMEs have online services, but less than 15 per cent pay for external cyber security expert support and almost one in five don’t spend any money protecting their organisation against cybercrimes.
To make matters worse, when small-business owners look for help, they rarely find adequate support. The security industry in Australia tends to focus on large companies, and many experts offer technically complex, expensive and time-consuming solutions; all things small businesses don’t have. At the same time, cybercriminals have become more sophisticated and, in many cases, more professional. This means a perfect cybersecurity storm is hitting SMEs, and we need to help them navigate this new situation.
Human behaviour should be a key focal point for SMEs. Most attacks still exploit weak passwords, clickbait emails or scams that ask for information or financial transfers. Many victims volunteer information or process transactions, unaware they are under attack.
A common tactic is to send scam emails late on Fridays when people are tired and prone to making mistakes. Another is using celebratory dates to trick people into shopping on fake websites or asking for sensitive information on emails that seem to be from reputable sources such as banks.
The first thing SMEs can do to protect against these risks is changing their cybersecurity mindset and investing in good cyber fitness. People don’t get fit from one day to the next. They make incremental progress by training a little bit every day. Similarly, SMEs should gradually build their cyber muscles over time with simple actions that can minimise problems.
Password management software can help in making sure passwords are strong, varied, and frequently changed. Having two people checking the details of all large payments is an excellent way to avoid paying fake invoices.
Keeping up with cyber information is also a good practice. There is a great deal of online information and events such as the Australian Cyber Week, being celebrated this week, that can help. Finding specialised support is also a possibility. Although still rare, the number of companies servicing SMEs is growing, and they can be very helpful – think of them as personal cyber security coaches.
Cybercrime is a lucrative industry that is not going away, and the pressure for safe and convenient services will only continue to grow. The good news is that the solutions exist, and many are easy. But, just like in training, you need to take the first steps.