Cyber attacks have surged over the past year and it’s not just government institutions and big companies that have been targeted. Small- and medium-sized businesses are equally at risk, but many aren’t prepared.
Coronavirus has created a lively threat landscape, says Keith Howard, Group Chief Information Security Officer at the Commonwealth Bank. Many more people are working from home, without the typical security controls of an office environment, and there’s also been a huge increase in small-to-medium enterprises moving online, providing greater opportunity for cyber criminals to strike.
What’s the threat?
Ransomware, cyber extortion and business email compromise are the most prevalent current threats.
- Ransomware is malicious software that’s typically delivered via a link or attachment and can encrypt your data. A ransom is demanded for the data to be unencrypted. Howard says there’s been a tremendous increase in ransomware and the aggressive tactics used by attackers over the past year and it has affected companies large and small.
- Cyber extortion occurs when attackers claim they have your data (personal or business) and threaten to release it publicly unless you pay them.
- Business email compromise occurs when criminals impersonate your email address or gain unauthorised access to a business’ email account. Often, weak passwords are to blame as criminals have automated ways of guessing passwords that lack complexity or are less than eight characters. Once a criminal gets access to a business email account, they can send legitimate-looking emails that appear to come from a trusted business contact.
The problem is that research from the Australian Cyber Security Centre shows us while smaller businesses know they should do something about cyber security, they either don’t recognise how business critical it is, they think they’re not really a target or they put it in the too-hard basket.
Every business in Australia needs a cyber security policy. It’s fundamental to running your organisation safely and should be considered a necessary ongoing investment – just as legal, business continuity or financial advice is.
It also doesn’t need to sit in the too-hard basket – cyber security is often more about people than technology. Ninety per cent of cyber attacks stem from people’s actions, or inaction.1 That means your team is perhaps your weakest link, but with ongoing education and knowledge they can become your first point of protection.
Denis Moriarty is Founder and Group Managing Director of Our Community, an information network that connects not-for-profits (NFPs) with resources. He says NFPs need to be particularly aware of their cyber security responsibilities due to the sensitive data many of them hold.
He says cyber security needs to be part of an organisation’s DNA. It should be discussed at board, and management, level and implemented by everyone in the business, not just the IT department.
So what do you need to do now?
Start with the basics to protect your business using this cyber security checklist:
- Teach your team about cyber security. How do they detect a phishing email? What do they do if they accidentally click on it?
- Determine where all your critical data is held and back it up – preferably in a separate location;
- Keep your end-point detection and response and anti-virus software up to date – on all your hardware, including work phones;
- Maintain good hygiene on your social profiles and consider multi-factor authentication for social accounts and internet-based email accounts such as Gmail and Outlook;
- Strong passwords are fundamentally important, and consider upgrading to passphrases – increased length makes them harder to crack in a brute force attack;
- Prepare for being compromised. What’s your recovery plan?
- Have robust payment processes with strict separation of duties, checks and balances when unexpected or large payment requests come through to your teams.
And one final piece of advice from Professor Lesley Seebeck, CEO of the Cyber Institute at the Australian National University who recently joined CommBank for a discussion about cyber security for small businesses. She says don’t blame the victim – anyone can fall victim to a cyber attack. Businesses need to work together to build resiliency at scale by sharing information and driving accountability. Sharing our experiences is important as it enables others to learn.
There are many resources on the CommBank website – from learning modules to quick guides. Here are some links to help get you started.