Cyber crime: does my small business stand a chance?

When Inc., the Australian Catholic University, the Melbourne Heart Group at Cabrini Hospital, Toyota Australia, Bank of Queensland, the Department of Parliamentry services and the Victorian Government fall victim to data breaches and cyber-attacks, small businesses may wonder if they stand a chance to defend themselves at all.

With fewer personnel and smaller revenue, how can small to medium enterprises expect immunity from the increasingly sophisticated cyber-attacks by organised criminals?

As it turns out, small businesses, and especially start-ups, are well placed to defend themselves – and they’d want to be, with recent statistics showing that upwards of 75% of small businesses claiming that they have been the target of a cyber-attack within the last 12 months.  Having a more contained staff ensures that company messages are more likely to disseminate throughout the organisation. And if you are just beginning your business, you don’t have weak passwords, outdated software and lazy invoicing processes to sort out. By establishing cyber defence protocols right from the beginning, you stand to save time, money, productivity and perhaps even the business itself.

A significant portion of hacking uses what is called “social engineering” to breach a business’s security. This may be as basic as someone turning up at reception and gaining access to offices by presenting as a plausible contractor – wearing a high-vis vest and carrying a ladder. Such a person may then be able to place a USB in an unattended laptop, infecting it with malware. A functional workplace runs on mutual trust between colleagues, and this will naturally extend to those perceived to be connected to the organisation: whether they turn up onsite, engage in conversation on the phone, or communicate via email. Exploiting this trust is the essence of social engineering.

Businesses need to recognise that online safety is not limited just to what appears on a computer screen. It resides in day-to-day interactions that staff have with clients, customers and contractors. If the person you are communicating with is not known to you, there is a chance that they are extracting information from you that could help them hack your systems. Whether it is that the CIO is away on leave that day, a senior staff member’s email address, banking details, even passwords, such information could be the critical element which allows a hacker to succeed in breaching your security.

This may seem depressing, and likely to make your workplace grim and lacking in trust. But it doesn’t have to. It’s essential to routinely test the strength of your security posture, both as an early analytic tool to establish your weak links, and later on, once policies and procedures are in place, as a test for your protocols. These “cyber disaster game days” are actually a lot of fun, and promote transparency, honesty, and camaraderie between colleagues. Your staff having a healthy suspicion underlying all interactions need not affect relationships with customers and clients. In fact, to be seen as wary will be seen as being responsible and should make your clients trust and respect your business practices all the more.

As well as social engineering, human error also contributes significantly to a business’s vulnerability. Latest results from the OAIC’s Notifiable Data Breaches report shows that on average, human error are the cause of approximately one third of all data breaches. Inadvertently emailing personal information to the wrong recipient is a classic example of these events. Failing to use BCC, thereby disclosing all email addresses to all recipients, also constitutes a data breach. So does insecure disposal of personal information, such as putting customer records in the rubbish rather than the secure documents disposal bin. Even losing paper files or USBs can put a business or its customers at risk.

Getting your staff on board with protecting the business’s security need not be hard. Make staff aware of how hacking often starts – and it’s not just the lack of a firewall, failure to patch software promptly, and weak passwords. Quarterly cyber-awareness training should be mandatory within most businesses, small or large, to ensure that staff remain vigilant and are aware of the latest threats. Stories of hacked businesses reveal how mistakes, assumptions, automatic responses and blind trust led the attackers through the door. Regardless of any employee’s official position description, each of them should feel personally motivated and responsible. It’s not just up to the IT department or IT services provider to secure the business’s online safety; it’s everyone’s job.

Are you unsure of your current security posture and feel that you’d benefit from an independent audit of your existing systems and processes, which is aligned to industry best practices? Have you recently noticed unusual events such as emails disappearing or machines behaving erratically? If so, your business would benefit from Cloud Armour’s CyberSecurity Health-Check. Contact us on 1300 887 811 or today for more information.