A cyber incident response plan is a key element of business security. Having the right...
The risk of cyber-attacks for small and medium-sized enterprises (SMEs)
Many small and medium enterprises are of the misconception that they are an unlikely target for cyber attackers. A survey of 1,420 SMEs in 2017 revealed that 87% of small business owners do not feel at risk of a cyber-attack. Statements such as “we are too small to worry about that” – or “we don’t have any data worth stealing” are thrown around. For those who think their business has a low profile and is not on the radar of hackers – I implore you to think again.
The potential consequence of a data breach, for a business of any size, is immense. Not only do breaches cost companies thousands of dollars, but they also damage the reputation of brands. Moreover, in Australia, failing to comply with the Notifiable Data Breaches scheme can incur a business over 2 million dollars in fines.
We are too small. It won’t happen to us.
Your company has firewalls, you have VPNs, and your anti-virus software programs are up-to-date. You feel protected, and one year down the line you still haven’t experienced the ordeal of dealing with a cyber-attack. A lot of small business owners are laissez-faire when it comes to online security; especially if they have not endured an attack. However, research shows that over 40% of cyber attacks specifically target small businesses; and many attackers can gain access to sensitive data without their victims becoming aware.
Small business owners must be attentive and change their mindsets to protect their companies from cybercriminals. Too often small business owners think nothing will happen to them because they have a low profile and don’t have anything worth stealing. Therefore, they do not put effective security measures in place and seldom update security software programs. Without adequate protection, small business owners may find themselves in the line of fire. Recent Australian statistics emphasise the risk SMEs face when it comes to cyber-crime.
Thousands of cyber breaches occur annually to SMEs, yet many SME owners still think it is only larger organisations at risk. A recent Norton report revealed 516,380 Australian small businesses fell victim to cyber-crime in 2017, and SMEs had to pay an average of $4,677 to free their data from ransomware.
Major cyber breaches have included the Perth Mint data breach and the Red Cross blood donor breach. In the Perth Mint data breach customers bought or sold precious metals through what they thought was a “secure online trading platform.” The breach happened to 3200 online customers. Similarly, the Red Cross reported that personal information, compromised in the Red Cross blood donor breach, affected 500,000 Australian blood donors. So, if hackers can gain access to larger organisations why would they waste their time with SME’s? Many business owners have thought about this question, and it is crucial to look at the reasons why.
Five reasons why SMEs are targets of cyber-crime
- Lack of investment in cybersecurity
Small business cyber-attacks are common. A lot of SMEs invest little-to-no money on improving their cybersecurity situation, and this complacent nature of small business owners makes them easy targets. Often business owners think that their company is low profile, and therefore they don’t foresee any need for additional security as they assume no one will be interested in stealing data from an SME.
- SMEs can lead to blue-chip organisations
Small business owners may opine that their company is too small to be noticed by hackers. After all, they don’t have the same level of resources or data that larger organisations have, yet hackers still target them. Why? Hackers may take an interest in small companies seeing as it provides them with more significant opportunities. When cybercriminals hack into small or medium-size businesses, they may be able to gain access to blue-chip organisations. Sometimes larger organisations have systems interconnected with SMEs. So, when hackers compromise the security system of SMEs, they can then penetrate the defence systems of larger organisations. The 2013 Target data breach is an excellent example of this as this was perpetrated by first hacking a small HVAC company. 41 million customers were affected.
Sydney Morning Herald writer and personal finance expert, Tony Featherstone, states that small businesses may be required to conclusively demonstrate their security credentials when working with larger organisations in project tenders, purely due to possible security risks. So, if you are a cybersecurity laggard and your business isn’t up to date on all security measures, you risk losing potential business opportunities as well as thousands of AUD if you get hacked.
- SMEs do not encrypt their data
Often small business owners mistakenly believe that their data is of no interest to anyone but themselves. Hence, business owners do not encrypt their data, and in doing this, open the door for cyber-criminals to hack into their systems and steal sensitive information. To avoid this, it is imperative that personal data, such as credit card numbers and customer information, is encrypted.
- Having weak passwords
Small business owners must ensure passwords are secure and changed on a regular basis. Cybercriminals gain access to information and infiltrate computer systems easily by exploiting weak passwords. If you think you do not have enough time to manage your business and ensure passwords are secure successfully then you are setting your business up for a potential security breach.
- Not training company employees
Security risks and data breaches most often arise from unintentional mistakes made by employees of the company. Therefore, it is imperative for employees to receive continuous security training. When employees work remotely and abuse their privileged access, a company’s security is put at risk making employees one of the most significant security threats to a company’s survival. A survey, conducted by the Ponemon Institute in 2016, showed that 22 per cent of businesses blamed cyber-attacks on insiders. Additionally, a Vormetric report revealed that 59 per cent of companies stated cyber-attacks were the result of simple human errors. An example of this would be visual hacking, which occurs when an employee is careless and opens their laptop on a train or bus, then inputs sensitive data.
The Director of printing systems for Hewlett Packard South Pacific, Paul Gracey, says that security risks are expanding and evolving daily, even on simple devices such as a network-connected printer. The reduced effectiveness of firewall protection means that devices on an organisation’s network are at risk. These devices include printing and imaging devices. Business owners and employees may not take note of what information is being sent and stored on printers which is why hackers are increasingly using this as an entry point to gain access to sensitive information. Therefore, security training and awareness is vital.
Notifiable Data Breach Scheme
If a data breach becomes apparent, reporting it is essential. Reporting data breaches have become mandatory since the implementation of the Notifiable Data Breaches (NDB) scheme of the Privacy Act in February 2018. Previously, privacy laws didn’t affect small businesses, but now all companies covered by the Australian Privacy Act 1988 have to report data breaches to members of the public and the Office of the Australian Information Commissioner (OAIC).
Many SMEs haven’t prepared their organisations in line with the data breach disclosure laws. According to Australian business journalist, Nina Hendy, 57 per cent of small businesses have not done any form of IT security risk assessment in the last 12 months. Not assessing IT security risks (and taking reasonable steps to mitigate these risks) means that in the case of a breach, company directors will be held personally responsible for the consequences to customers and business partners.
Failing to report data breaches will result in severe consequences
There are significant financial penalties tied to the new Australian legislation regarding data breaches. A $1.8 million penalty can apply to organisations and a $360,000 to individuals that do not report eligible data breaches. Furthermore, if you do not notify affected individuals, this may result in complaints to the OAIC.
You are not too small
A business of any size is a good target for cybercriminals, primarily if it has not recently assessed its risks and ensured it is well protected. For the small business owners who still think they are too small to land on the radar of cybercriminals, their naivete makes them prime targets. Cyber-crimes constitute a significant concern for SMEs around the world and especially in Australia, and if they do not pay attention to ensuring adequate security measures are in place, then they are as good as sitting ducks.
Spending money on security measures is a pain, but in this era where cybercriminals are rife, it’s a necessity. Business owners have to make sure their data is encrypted, systems are secure, and employees must receive regular training on security risks. ‘Protect your data the same way you protect a physical space’: ensure you lock up and be very careful whom you give the keys.
I would like to know more
At Stickman, we have been working with leading Australian businesses of all sizes since 2007, to help identify risks and protect their owners, business partners, staff, and customers. Reach out to us, for a confidential discussion of your cyber risk profile, and ask us about our CISO-as-a-Service and Managed Security offerings.