The impact of cybercrime on a business can be catastrophic. Many types of cybercrime can...
In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Critical business assets like bank accounts, email systems and business devices, face compromise and are lucrative targets for malicious actors.
Over the 2020-21 financial year, the Australian Cyber Security Centre (ACSC) discovered that there was an increase of 13% in cybercrime reports when compared to the prior year, receiving over 67500 reports from Australian businesses. This equates to the ACSC receiving one report of a cyber attack every 8 minutes compared to one every 10 minutes in the previous financial year.
How is Cybersecurity different for SMBs?
Cyber criminals do not discriminate, regardless of size, type or industry, businesses in Australia and around the world are under threat from cyber criminals. For the more than 2 million Australian small businesses the actions of cyber criminals can be devastating, leaving their businesses unable to recover. Small to medium businesses operate in a different environment compared to larger enterprises, with 97% of Australian businesses having less than 20 staff. With limited resources, many of these businesses lack the resources, skills and experience to maintain a high level of cybersecurity. However there are certain steps SMBs can take to prevent cyber criminals from hacking into their sensitive systems and networks.
What are the key cyber threats for SMBs?
A cyber attack is an attempt to disable computers, steal data, or use a breached computer system to launch additional attacks. Cybercriminals use different methods to launch a cyber attack, below are three common types:
1. Malware - Malware is a blanket term for malicious software including Ransomware, viruses, spyware and trojans. Malware allows criminals with a way to gain access to important information such as bank or credit card numbers and login credentials. Malware can be used by criminals to spy on their victims or even take control of a victim’s computer system. SMBs make lucrative targets for criminals as a majority of them lack the resources to detect and combat malware.
2. Ransomware - Ransomware is a form of malware that encrypts a victim’s files, systems or networks. A ransomware attack can bring a business to its knees with an attacker holding their systems hostage until the ransom has been paid. Small businesses can be particularly vulnerable, as they are less likely to implement cyber security measures that could help prevent and recover from ransomware.
3. Phishing - Phishing is a social engineering tactic that consists of an attacker sending an employee a fraudulent message via email, instant message or text message, in the hope that the unaware employee will click a link that downloads malware onto their system, freezes the system as part of a ransomware attack or reveals sensitive information of the organisation. Most SMBs fail to adequately train their employees in information security best practices, which can make it hard for employees to identify and avoid phishing attempts.
How can these cyber threats be prevented?
Small to medium businesses can implement a number of best practices to avoid succumbing to cyber threats, below are the top ways for SMBs to protect themselves from cyber criminals.
Regularly update software - Cyber criminals take advantage of known vulnerabilities to hack your devices. Regular system updates have comprehensive security upgrades to patch these vulnerabilities. Ensuring that employees are installing the latest patches and updates to software can help reduce the change that a cyber criminal exploits a known weakness to gain access to your system or network. A good way to stay on top of updates is to turn on the automatic update function on software and systems, however if this isn’t available it is the employee’s responsibility to regularly check for updates.
Maintain data backups - A backup is a digital copy of your business’ most important information e.g. customer details and financial records. This can be saved to an external storage device or to the cloud. An automatic backup is a default or ‘set and forget’ system that backs up your data automatically, without human intervention. Backups are important because data losses can occur in many forms, from hard drive failures to ransomware attacks and even human error or physical theft. No matter the incident, a data backup could can enable you to restore the data stored on your devices. Data backups can greatly reduce the downtime a business could face in the event of a ransomware attack.
Multi-factor authentication & complex passwords - SMBs should ensure that employees implement two or multi-factor authentication on their devices. Implementing multi-factor authentication such as two factor authentication, which needs another factor other than username and password to enable access, can increase the chances of preventing endpoint access.
SMBs also need to encourage strong password management practices amongst employees, ensuring that passwords are being updated regularly, are unique and not shared amongst accounts. Strong password management is an essential part of endpoint security, if an attacker gets access to login credentials, strong password management can lessen the impact e.g. if passwords are unique and not reused, attacker access can be restricted to a single account.
Access control - SMBs need to implement access controls, to ensure that only authorised employees can access sensitive data and systems. By strategically assigning employees the correct level of access depending on their role and responsibilities in the business, the overall risk of suffering extensive damage from a cyber attack is effectively mitigated, irrespective if it is from an external actor or due to internal errors.
An effective method of implementing access control is by following the concept of least privilege. Least privilege is defined as the strict assignment of access rights and permissions for users, accounts, applications, systems, devices and computing processes, to the absolute minimum so that assigned organisational activities can be carried out. It gives users the bare minimum permissions they need to perform their work. This also reduces the risk of an ‘insider’ accidentally or maliciously endangering your business.
Training & Awareness - Security awareness training is a strategy that should be implemented by SMBs to prevent and mitigate risk when it comes to compromising their information security. These programs are specifically designed to provide employees with clarity regarding their roles and responsibilities when it comes to upholding information security.
A successful security awareness program, helps employees understand proper cyber etiquette, the security risks associated with their actions and to identify cyber attacks they may encounter during their day to day operations. Human error continues to be the biggest threat to a businesses information security, by providing employees with thorough and regular training and awareness when it comes to information security, SMBs can greatly reduce the chance of cyber attacks and instil a strong cybersecurity culture within their organisation.
How can StickmanCyber help?
Any business, big or small, is vulnerable to cyber-attacks. But for small businesses, even small-scale cyber attacks can be incredibly damaging. They can severely impact how a business is run, wreaking irreparable financial and reputational damage.
Similar to how physical locations use back-to-base alarm systems, your business can benefit from the use of qualified, certified and experienced cyber security experts who monitor, detect and respond to cyber attacks and threats targeted at your business’ computers and networks. StickmanCyber’s SME Protect service provides peace of mind for your business with enterprise grade back-to-base alarm systems that monitor, detect and respond to cyber attacks and threats 24x7x365 days a year.