If you think cyber criminals wouldn’t bother to target Australian small businesses, you’d be quite wrong. Banjo explains the risks and what you can do about them.
If you or your clients’ email server, locally stored data or personal information was hacked, it could be one of the most catastrophic things to happen to your business.
The monetary, reputational and strategic cost doesn’t bear thinking about. And so that’s often exactly what happens – we don’t think about it. Instead, we spend a few dollars on a basic security package, and cross our fingers that we’ll be safe.
After all, why would a hacker or other criminal be interested in a small Aussie business – surely they’re too busy attacking the bigger global players?
That’s an all-too-common misconception, says Kevin Mangano, CDO of Yellow Brick Road Group.
“Having any kind of web presence (email server or website), means you’re almost certainly getting scanned hundreds of times a day by bots programmed by bad actors to look for vulnerabilities.”
The Australian Cyber Security Centre’s latest Annual Cyber Threat Report (2022) states that Australia is attractive to cyber criminals in part because per capita it’s a wealthy country. During the 2021–22 financial year, over 76,000 cybercrime reports were received, an increase of nearly 13 per cent from the previous financial year. That’s approximately one cybercrime report every 7 minutes, compared to one report every 8 minutes in 2020–21.
The Report also says that medium-sized businesses (defined by the Australian Bureau of Statistics as having between 20 and 199 employees) had the highest average loss where a financial loss occurred.
This is often because larger companies tend to have stronger security measures and be better resourced to protect themselves.
Kevin says the second biggest mistake is to under-invest in cyber security, having inadequate protection or cutting corners to save money.
“It’s a false economy to use ‘free’ unverified software or to share passwords instead of buying extra licences. It’s a bit like ultra-cheap car insurance – you wouldn’t trust that, so why would you leave your data and IP open to significant risk?”
Good cyber security is often sacrificed earlier in the business lifecycle, typically during the Growth stage, when money may be tighter, or perceived as needed to build other areas of the business. This is not revisited when a business has valuable IP that they need to protect, which is a significant risk for them and their customers.
“Where cyber security is concerned, hope is not a good strategy,” says Nirosh Weerasinghe, Executive Director of Finance Circle Group brokers, plus Oceania Outsourcing which provides outsources services to mortgage brokers in Australia.
“Everyone uses the same four-letter word: ‘busy’. They believe they don’t have time to set up all required security measures. But if they’re not properly protected, they’ll eventually get hacked, and will spend way more time rectifying it than they ever would have in setting up the right protections. Not to mention how much they’ll lose,” says Nirosh.
Nirosh also points out that brokers who collect data from clients must always be mindful of privacy.
“Australia has strict privacy laws, for good reason. Make sure you always get clients to sign the privacy form before they provide their ID or financials. Do not accept that sensitive information before you have the signed form from them. And never let them send information to you via unsecured methods.”
Julian Hedt, CTO of Banjo Loans says there are 4 key actions businesses can take:
1. Never send or receive sensitive ID or financial details via email, as it’s the weakest link, security-wise. Instead, have clients or associates upload the data to your CRM or Google Drive, or collect ID face-to face. Have strong email filtering protection, for more than just spam, eg phishing filters and infected document identification.
2. Always use two factor authentication (where 2 methods of identification are needed to verify identity, eg a password and a PIN sent to the user’s mobile).
3. Use a major Cloud Services provider such as Google or Microsoft – who generally have the most robust systems with state-of-the-art technology – to share data or information.
4. Make sure your staff are trained (preferably by a professional) in internet hygiene.
If your client thinks they can’t afford proper cyber security, sit down with them to work out how they could use working capital funding to protect their business.
As a general rule of thumb $30-50 per month per employee should buy secure cloud storage from the likes of Google, Microsoft 365 or Dropbox, plus an anti-virus system for each computer used by staff. A training program by a cyber security consultant will be an additional cost, but will give peace of mind that the whole business is covered.
In cyber-security, you don’t know what you don’t know. Investing to secure your business can protect you from a world of pain.