The recent Channel Nine cyber attack has put cybersecurity back in the spotlight, but this is not just a large enterprise problem. 60% of all cybercrime targets small & medium businesses.
In comparison to recent high profile targets like Channel Nine, Service NSW and ASIC, it may seem that your business is flying safely under the radar of hackers and at low risk of cyber attack. The truth however is that cybersecurity is a serious and costly issue for smaller businesses, which are frequently targeted by:
- Malware: This is any type of malicious software installed on someone’s computer or mobile device without their knowledge, which is designed to cause damage to the device, server or network. The AISI receives around 4,000 reports of malware daily.
- Phishing: This is where a user is sent an email that’s designed to appear trustworthy and to persuade them to click on a link and then to sign in or provide other sensitive information. This is the suspected origin of the Channel Nine breach.
- Ransomware: Ransomware is software that will block or disrupt access to systems or threaten to publish sensitive data unless money is paid to the hacker who’s holding them ‘hostage’. In the recent Lion case, the ransom was reportedly $US1m.
Although the attacks on big corporates attract the most publicity, smaller businesses are increasingly in the firing line. Here are some of the reasons they are attractive targets for cybercriminals, and how you can ensure that your business has the right protections in place.
Smaller Businesses Are More Vulnerable
Smaller businesses typically have less budget and resources for cybersecurity and are less likely to have modern defences in place – for instance, 33% of Australian businesses with under 100 employees don’t take proactive measures to defend against cyber attacks, such as next-gen endpoint protection.
Smaller businesses also tend to lack measures like strong security policies and cybersecurity education for staff, leading to common vulnerabilities such as weak passwords or no multi-factor authentication, lax email security, under-trained users and unpatched out-of-date software.
Cybercriminals do not discriminate amongst potential targets by size – rather they look for vulnerabilities, and smaller businesses are often softer targets and more easily breached. This is why 60% of cybercrime is targeted at SMEs and 43% at small businesses.
Many Small Business Owners Are Overconfident
Recent reports have found that 66% of small business owners consider themselves well-informed about cybersecurity risks, while 87% believe their businesses are safe from cyberattacks just because they use antivirus software.
When these figures are compared with the actual data on the frequency and cost of cyber attacks against small & medium businesses, it seems that many business owners are overestimating their cybersecurity awareness and preparedness. This overconfidence is a weakness that hackers can easily identify and exploit.
Smaller Businesses Have Sensitive Data Too
Cybercriminals understand the value of data, and even very small businesses have sensitive records that are attractive to hackers. For example, most small businesses hold various employee details such as identification data, tax file numbers, and bank and superannuation details. Some also hold health-related records that are in high demand.
Though hackers may have no use for this information themselves, they can readily monetise it on the dark web, where for example health records can sell for $US1,000 because they’re in high demand with identity thieves.
We regularly conduct Dark Web ID Scans on new client domains, which have identified thousands of instances where user information and login details have been stolen and leaked to the dark web. This increases the threat level to an organisation.
How To Protect Your Business & Data
Stronger cybersecurity defences make your business a harder target for cybercriminals, which reduces the likelihood that you’ll be attacked or breached. Here are some basic measures that should be in place at almost any business:
- Security software to protect both the network and endpoints
- Multi-factor authentication across all remote access services
- Regular training for staff on cybersecurity risks and policy
- Prompt patching of software, operating systems and devices
- Regular and secure backups of your business data.
NIST Cybersecurity Rapid Score
For a thorough assessment of your IT and cybersecurity environment, we offer our NIST Cybersecurity Rapid Score service using the best practice framework from the US National Institute of Standards and Technology (NIST).
This is a two-day engagement, at the end of which you receive your Cybersecurity Rapid Score & Report with a risk score and detail of your risk profile and vulnerability to attack. Our security experts also provide a prioritised list of steps required to achieve a reduced risk profile in line with your industry, and a summary of the potential impact of a breach to your organisation.