In November 2018, the government of Australia’s chief cyber security coordinator told a forum of regulatory and law enforcement experts that a catastrophic cyberattack was perhaps the most formidable existential threat society faced today. When you look at the scale, ferocity, disruptive impact and financial cost of the most serious cyberattacks in recent years, this warning has merit.
For instance, a number of Australian businesses were affected by the 2017 global Petya ransomware attack. And in 2019, news of a major cyberattack on Australia’s two main political parties emerged. Whereas, cyberattacks against large corporations are the ones that do make it to the news, small and medium-sized enterprises (SMEs) aren’t immune.
If anything, many hackers will focus most of their energies on SMEs as they believe their cyber defenses aren’t as sophisticated as those of large corporations.
Selected Australian Cybersecurity Statistics
There’s no better way to get a feel of Australia’s cybersecurity landscape than taking a look at key cybercrime statistics. We cover some below.
- More than 500,000 small Australian businesses were victims of cybercrime in 2017. To put this number in context, there are slightly over 2 million small businesses in Australia. 25 percent of small businesses is therefore a staggering figure and just demonstrates that cybercrime is far more widespread than the major cyberattacks that make the news.
- One in four businesses that are the target of a cyberattack experience at least 25 hours of downtime. Think about 25 hours of system unavailability for an ecommerce store during a peak sales season. There’s not only huge losses because of potential sales that weren’t realized but also huge damage to the company’s reputation for going down during such a critical time.
- $1.9 million is how much it costs the average medium sized enterprises that is the target of a cyberattack. This would take out a significant chunk of the company’s annual profit. The money would be much better off being applied to business growth.
- More than 60 data breaches were reported to the Office of the Information Commissioner within the first 6 weeks of the commencement of mandatory breach reporting. If you extrapolate that frequency to a full year, you are potentially talking well over 500 breaches reported. Bear in mind that many companies never know that they have been hacked so reported breaches understate the true number of cybercrime incidents that occur per year.
- If you become aware of a data breach but fail to report it, your business could be slapped with a fine of $1.8 million. Can your SME survive a $1.8 million fine? Even if it does, your operations will be starved of cash.
- 1 in 3 SMEs continuously back up their business data. On the face of it, this may seem like excellent news. However, it implies that two thirds of SMEs do not back up their data at all or do not do so continuously. The loss of business data following a cyberattack or a natural disaster can have a crippling effect on operations and may even lead to the permanent demise of the business.
- Five minutes is the time you need to spare to go through the Australian Small Business Ombudsman’s guide on cybersecurity. It’s a brief document but could save you plenty of pain and money in the long run.
- Now for a more general statistic. How many employees does a hacker need to dupe in order to gain access to confidential business data? One. The strength of your cybersecurity is only as effective as your weakest link. This is why cybersecurity training for employees is so essential. Staff must be aware of the most common types of cyberattacks and know what role they play in keeping the business systems and data secure.
How to Prevent Cybercrime
The thought of being subjected to a massive cyberattack is one that keeps leaders of SMEs awake at night. Large companies often have the financial muscle, established reputation and internal technical expertise to eventually survive even the most ferocious attacks. For SMEs, a formidable attack could drive them out of business. They can however establish controls and take appropriate measures to prevent cybercrime.
These controls and methods include:
Security Awareness Training
We’ve already mentioned this but it bears repeating. If there’s one thing you should devote time and resources to as part of your overarching cybersecurity strategy, it is employee training. The majority of cyberattacks can be traced back to the action or inaction of a worker.
Vulnerability Scan
No system is 100 percent foolproof. Hackers are therefore constantly looking for ways they can exploit known vulnerabilities in order to penetrate system defenses. SMEs should run a vulnerability scan at least once a day for their mission-critical systems to identify and seal such vulnerabilities.
Multi-Factor Authentication
User IDs and passwords are vital but if you really want to keep your systems and data secure, you are better off incorporating multi-factor authentication. This means users have to present at least two credentials for authentication. For example, the user may be required to provide their ordinary password as well as a one-time passcode received on their phone.
IT Security Review
The technology environment of the average SME changes regularly. New systems are introduced as older ones are retired. Ergo, cybersecurity controls that were highly effective one or two years ago may have been rendered irrelevant following these changes. An annual IT security review helps you evaluate the current controls so you can take appropriate measures to remedy any vulnerabilities that may have emerged.
Endpoint Security
Smartphones are ubiquitous. Whereas they were initially perceived as a means of keeping in touch with friends and family, it’s now widely accepted as a tool for business. But smartphones and other portable devices such as laptops and thumb drives pose significant danger to the security of enterprise networks and data. Robust endpoint security policies and controls ensure that only devices that conform to the SME’s cybersecurity policies are allowed on the network.
Wrapping Up
For the average SME, the risk of a cyberattack is real and highly probable. But by taking appropriate measures beforehand, SMEs can ensure there’s minimal to no impact on their operations.