Is your SME safe guarded for a Cyber Attack?
Prime Minister Scott Morrison recently announced that Australian businesses were being targeted by a sophisticated foreign state-based hacker. Thankfully the Prime Minister confirmed there have not been large-scale personal data breaches…..yet.
Unfortunately, when Australian SME owners hear about state-based hackers or international criminal gangs, they assume that means hacking attacks targeted at large corporates, financial institutions, ASX listed companies or international companies. This assumption is extremely dangerous and leads to complacency in cyber security; and it is this very complacency that paints a huge target on the back of every SME business.
Cyber criminals are acutely aware that SME businesses have limited resources to invest in adequate security and typically lack suitable staff training. Even when the implementation is right, many SMEs fail to ensure ongoing staff training, security upgrades or system patches; which creates opportunities for criminals. This makes SME’s an easy and lucrative target for cyber criminals. Other SME misconceptions include:
We don’t hold valuable data:
Valuable data isn’t limited to financial information, credit card details or sensitive medical records. It can be as simple as an employees’, suppliers’, or customers’ personal details such as full name, date of birth, physical address, email, drivers licence number, tax file number, or banking details.
Most businesses will hold this information about their employees, customers or suppliers as a minimum, meaning they are at a higher risk of being targeted for a cyber-attack. If a cyber-attack were to occur and this valuable data is stolen it may be used by an attacker to commit identity fraud or as the basis for a social engineering or phishing attack.
These breaches can trigger very costly mandatory reporting requirements under the privacy legislation as well as having to notify every individual who’s data has been breached. The costs of a privacy breach can also include fines of up to $2.1m.
We don’t transact online
An SME may not have online sales however all will use computers, a local network, or a server to hold electronic files and records. A business will also do their banking online, manage their invoicing electronically, both of which include sending and receiving personal and sensitive information.
Our data is safe in the Cloud
Data stored in the cloud is simply using another business’s server to store information, which will have more advanced security than an SME can afford. The information can still be accessed, copied, stolen or altered.
Each business is legally responsible for their information, even if it is stored in the cloud and may incur notification costs to affected individuals, remediation costs, legal costs and fines should a data breach occur.
Our IT team will take care of it
A cyber breach requires very specific and specialist skills, including forensic IT expertise, data management skills, privacy breach legal advice, public relation consulting to protect the reputation of the business and loss assessment skills. Whether the IT team is internal or external they will not have these capabilities, or the ability to respond immediately to a breach 24/7.
Our IT system cannot be breached
No system can be 100% safe. The world’s most secure systems have been breached, including the FBI, Commonwealth Bank of Australia, Facebook and Sony to mention just a few. If these organisations with all their expensive cutting-edge security can be breached, what hope does an SME have. This is why a cyber breach is a matter of when it will occur and not if.
The Office of the Australian Information Commissioner confirmed that 35% of all breaches are the result of human error, so even with the best possible security, employees are inadvertently allowing criminals into their employer’s system.
There are several things an SME can do to reduce their risk to a cyber or privacy breach and many of these steps are either free or relatively in expensive. It is important to consider what funds the business can allocate to security so that an assessment of the available options can be made. Its also important not to put all your faith in one solution, but rather have a multifaceted protection philosophy. Some simple tips include:
Have an incident response plan
The Australian government has prepared an easy to follow breach preparation and response plan available at www.oaic.gov.au. This is a free offering and having a plan in place allows a business to react quickly and calmly when a breach occurs. This is crucial because the longer the breach remains unattended the more costly the event will be for the organisation.
Ongoing Staff Training
With 35% of breaches occurring due to human error staff training is a must. There is an endless supply of free content on the internet to help educate staff. Two excellent sources are www.oaic.gov.au and www.cyber.gov.au/acsc; both are trusted Australian government agencies with excellent material. A good starting point for staff education is “identifying red flags when clicking on links or opening emails” and “how to prevent phishing attacks”. The key to successful training is for it to be easy to follow, regular and across all staff.
Be vigilant with patches
In addition to maintaining standard firewalls and anti-virus protection; software providers are constantly issuing “patches” to update weaknesses they identify in their products. Criminals are constantly using these weaknesses to penetrate a company’s system. It is astonishing the number of SMEs that fail to run regular scans for security and software updates.
Daily back ups
Backup is crucial for data protection and recovery when a breach occurs. A regular data backup, preferably daily, saves your important files from inevitable data loss situations due to common events such as system malware infection, virus corruption and ransomware. A good back up system will reduce the time it takes to recover and minimise the potential for loss of revenue.
Strong password protocol
A strong password provides essential protection from breaches, financial fraud and identity theft. One of the common ways hackers break in is by guessing passwords. The other being a staff member using the same password across multiple business and personal logins. A strong individual password, which is changed on a regular basis, and combined with multifactor authentication, is a simple and effective security measure.
A business will have sprinklers, fire extinguishers, fire retardant doors and other risk management measures to prevent their property burning. These measures do not guarantee the building won’t burn, which is why insurance is purchased. The same applies to a cyber exposure. No matter the level of cyber security and awareness, a business remains vulnerable to a cyber-attack.
Cyber insurance offers an amazing level of protection. It will pay for the emergency response team to offer support 24/7. The policy will cover legal fees to assess if a privacy breach has occurred and to defend any prosecution. It will pay for a public relations consultant to protect any further damage to the company’s reputation.
The insurance will pay to fix the weakness in the system, remove any malware, ransomware, virus or encryption. The costs to recollect and reinput any lost data will be covered. A cyber insurance policy will also reimburse the business for loss of profit as a result of the breach, which can take months to recover from. The insurer will also pay the ramson if that is determined to be the best approach.
Other protection provided includes identity theft, phishing breaches, payment of fake invoices, social engineering fraud, hardware replacement, privacy breach fines, social medial defamation and more.
This article originally appeared on Adroit Insurance & Risk Blog and has been published here with permission.