As Australian governments and corporations move to tighter security protocols around their data and communication systems, there is increasing concern around small and medium enterprises (SMEs), according to government and business organisations.
With digital platforms offering faster, cheaper and automated functions across most business needs, SMEs use online applications to boost efficiency and achieve scale.
The Commonwealth government estimates that up to 90 per cent of Australian SMEs are online. But the convenience of digital comes at a cost. Cyber crime costs Australia around $1 billion per year and 59 per cent of Australian organisations have their business interrupted by cyber crime every month, according to the Commonwealth’s Stay Smart Online guide for small business. And 55 per cent of Australian SMEs unknowingly expose themselves to cyber crime risks through email and social media, according to the NSW Small Business Commissioner’s 2017 report, Cyber Aware.
Usage might be high in SMEs, but awareness can be low: the Small Business Commissioner’s report found that 42 per cent of business owners believed they could reduce their cyber risk by limiting their online presence, and of the 20 per cent who had suffered a cyber incident, 41 per cent were hit by malware.
Angus Taylor, Minister for Law Enforcement and Cyber Security, says there is high take-up of digital technologies by Australian organisations, yet one third of businesses with fewer than 100 employees do not take proactive measures against cyber security breaches.
One of the fastest-growing threats is the broad category of the ‘BEC’, or Business Email Compromise – a cyber attack that cost Australian businesses over $22 million in 2017, according to the ACCC.
Taylor says ransomware attacks are also a major threat to small businesses because they are infiltrated into the business’s computer system by luring a person to accept a file or click on a link in email. Typically, ransomware works by locking up – or encrypting – files so they can no longer be used, and some types are even designed to stop networks and computers from working entirely. Ransomware attacks are becoming a criminal enterprise.
“There has been a 2500 per cent increase in the sale of ransomware on dark net sites since 2016.”
“These businesses often find it hard to recover after a cyber security incident. When small businesses experience a significant cyber breach, 60 per cent will go out of business within six months.”
The Australian Small Business and Family Enterprise Ombudsmen (ASBFEO) has found that of the small businesses breached by the spate of ransomware attacks in 2017, 22 per cent could not continue operating.
The Australian government has invested $230 million into its Cyber Security Strategy, including an investment in the Australian Federal Police, the Australian Signals Directorate and CERT (Computer Emergency Response Team) to increase Australia’s cyber defences.
Angus Taylor says the strategy has been rolled out as Australian government and business becomes reliant on online communications. The strategy includes the Australian Joint Cyber Security Centre Pilot and the Australian Cyber Security Growth Network. It has also launched its Guide for Small Business, which is a plain-English website of cyber security best practice and alerts which allows individuals and business owners to sign-up and join communities.
He says the Commonwealth is turning its attention to SMEs as the number of incidences rises, and the cyber criminal techniques become more sophisticated.
“There were 48,000 cyber attacks reported last year, and we know that SMEs were the target in more than 43 per cent of cyber crimes.”
He says the cyber criminals are moving on from generic attacks and are becoming more sophisticated. Often they tailor their attacks on a business with a BEC – typically infiltrating a business email system and then creating false invoices that are timed for pay-runs, or “reminder” notices to pay a fake bill. BECs also entail engineering fake requests for internal money transfers, that look legitimate because they come from a recognised email.
“As governments, utilities and corporations harden their cyber security, the criminals are seeing SMEs as vulnerable targets,” says Taylor. “At a time when small business owners are becoming more reliant on digital applications for things like accounting and banking, many of them are running outdated and unpatched software and many of them have outdated views of the online world. One report found that 87 per cent of SME business owners thought an anti-virus application would protect them from a cyber attack.”
Taylor says the current government’s Cyber Security Strategy is an initiative where business owners can report incidences and ask questions, and the government can collate domestic and international cyber-intelligence, and make it available in a usable form. The ACSC’s Essential Eight is a guide for how organisations can make basic security preparations to their systems.
Taylor says the Commonwealth is also working with large private-sector players to ensure that the latest threat alerts, patches, intelligence and advice are made available to Australia’s more-than two million business owners.
He acknowledges that government and regulators cannot protect all business owners from their own mistakes, and SMEs have to become proactive in their online security and make cyber-security a business planning issue.
“SMEs are not completely helpless,” says Taylor. “There’s a lot they can do.”
He says two-factor authentication as an entry requirement for computer systems or critical applications such as email and accounting, is a good start, as is an anti-virus and email filter product and ensuring that applications are included in auto-upgrades and patches. He says migrating critical applications to a reputable cloud service is usually safer than trying to run secure applications from the SME’s own servers, and investing in employee-training is also crucial to creating a cyber-secure small business.
“Many of these breaches come from human mistakes or lack of awareness. You can train your employees to have strong passphrases that are kept secret, you can show them how to check invoices for the right bank accounts, and ask them to not click on email links unless they really know where they came from. There are IT consultants who will do this training – for business owners it’s probably money well spent.”
He says the cloud is a good option for many SMEs because of the service providers’ investment in security infrastructure, cyber security systems and expert operators. While the Commonwealth certifies cloud providers before government agencies can use them, he says that certification has not yet been shared with SMEs, even though SMEs who fulfil government contracts have to be certified for cyber security and data protection.
Taylor says more than 150 organisations have currently joined the Joint Cyber Security Centre and businesses should consider joining in order to gain access to best practice in cyber security.
The Council of Small Business Organisations Australia (COSBOA) executive director, Peter Strong, says there is real pressure on SMEs to rise to a higher standard of cyber security.
“We’re talking to the Business Council of Australia about supply chain issues,” says Strong. “A day is coming when small businesses won’t be able to partake in supply chains unless they can prove they’re secure.”
Strong says the SME community is very large and covers the full spectrum of cyber awareness from people who think cyber crime only happens to big business, to sophisticated businesses that specialise in online security.
So he says the challenge is to train and equip business owners in a way they can all understand, which includes simple messages, such as separating the Wi-Fi that the business uses from one the business offers the public; do not allow your children to play on your laptop or phone; include cyber security in business-continuity planning; use cyber-attack insurance, always make software updates and back-ups and implement a training program for employees.
“There are many elements to being cyber secure,” says Strong, “but we’ve brought it down to three pillars: education and training, prevention and inoculation, and disaster recovery insurance.”
Strong says the SME sector employs around five million people and in 2016, one in five SMEs had experienced an attempt at cyber extortion. Given the size and economic importance of SMEs, repeated cyber assaults on the under-resourced and time-poor sector represented a huge risk.
“We have a cyber strategy, and we’re working with business owners, getting them to sit a test and become educated about cyber risks. But these people only have so much time and so much money.”
Strong says effective cyber security can not be implemented in every small business overnight, but industry and government can start by prioritising sectors at high risk, such as accountants, solicitors, real estate firms and mortgage brokers.
He says the technology sector could also help by thinking about its messaging.
“Most SME owners should be using a cloud service, not their own servers,” says Strong. “The cloud providers should be advertising ‘you don’t need a server’, because business owners tend to look at the benefit not the feature.”
See more in the Cyber protection series
Passwords often the weakest link in the cyber security chain
Showing women that cyber security is not just a man’s world