The real cost of cyber breaches to SMEs

data, privacy breaches, cyber incidents

New Home Affairs Minister Karen Andrews has declared cybersecurity a major priority, following the news that 553 million Facebook users had their data stolen and published online, and Nine and Parliament House faced similar attacks. If it wasn’t clear before, it’s now startlingly obvious that any business, big or small, is vulnerable to cyber attacks.

For small businesses specifically, the effects of a cyber attack can be even more devastating. While these small-scale attacks may not be enough to generate major news headlines, the impact a cyber-breach has on the day-to-day running of a business, along with the fiscal ramifications, can do irreparable damage.

With many small businesses continuing to work from home, it’s important to remember the role that remote work has to play on businesses’ ability to respond to data breaches. According to a study from 2020 by IBM security, of participants who said their organizations required remote work in response to COVID-19, more than three-quarters (76 per cent) said it would increase the time to identify and contain data breaches.

In many cases, a lack of understanding around cyber security is to blame. A report from the government’s Australian Cyber Security Centre (ACSC) found almost half of SMEs rated their cyber security understanding as ‘average’ or ‘below average’ and had poor cyber security practices. One in five SMEs did not know the term ‘phishing’. Many businesses were unaware of the threats they face, with SMEs who outsource their IT security believing they are better protected than they really are.

It’s clear that in order to protect their businesses from attack, owners need to have a better overall understanding of what they’re up against. The first step is to understand the various different forms of attack, including malware, phishing, ransomware, trojan, keystroke logging, insider threats, and spear phishing.

Businesses should take the time to thoroughly research these various forms of cyber attack, and learn the techniques and best practices to protect themselves. For example, to protect from phishing, be cautious about all communications you receive, don’t open any attachments contained in a suspicious email, and never enter any personal information on a pop-up screen.

There are many solutions that a business can implement including managed security monitoring, detection and response services, annual security penetration testing, multi-factor authentication and passwordless technologies. Passwords should be rotated at the very least every 60 days, although every 30 days is even better.

Multi-factor authentication (MFA) is even more secure than passwords alone. MFA adds an extra layer of security by using two or more pieces of evidence to log in to a single location. Some common examples of MFA include an SMS message, phone call, or authenticator app to verify a browser login. Other verification factors could include personal questions, a physical object such as a security token or bank card, or fingerprint, face, or iris scanning.

In order for small businesses to protect themselves, the weak spots must be identified and eradicated before an attack occurs. This is especially true for those small businesses that are almost entirely based around online orders and digital customer data. As more and more large companies make headlines for their own cybersecurity breaches, it’s time for small businesses to make cybersecurity a priority for exactly the same reasons.