Cyber still a key issue for SMEs

With cyber breaches continuing to increase in Australia, RSM Australia cyber security specialist Ashwin Pal is warning small businesses about this increased risk.

Mr Pal, RSM's Director of Risk Advisory in Sydney, said small businesses who put cyber security in the too-hard basket risk being “cannon fodder” and easy prey for cyber criminals.

“It’s a numbers game for these criminals – they could spend months trying to breach a large corporation for a big pay day, but if it takes less than 10 minutes to breach a less secure small business, you do the math. Hackers generally target the low hanging fruit.

“For every large organisation like an Optus or Medibank that reports a data breach, there are about 20 unreported SMEs who have been hit.

“The smaller the business, the less likely it can absorb the financial and reputational hit of a cyber breach.”

The frightening reality is that the Australian Small Business ombudsman reports that more than 60% of Australian SMEs (small businesses) hit by cyber-attack or data breach do not survive the incident.  

This is a huge vulnerability, given more than 90% of Australian businesses have turnover of less than $2m, and the Australian Cyber Security Centre’s Cyber Threat Report out this week indicates the impact of cyber-crime is growing (on average $46,000 for a small business, up from $30,000 in 2020/21).

Mr Pal works with small to medium businesses to identify their vulnerabilities and close the gaps.

Defence against cyber breaches

“There are a number of defensive actions the ACSC suggests, and that we help businesses implement, including multi-factor authentication, regular staff training on recognising scams and phishing and use of reputable cloud service providers.

“SMEs can also invest in scanning and takedown services for fake websites impersonating a business – if this happens, they lose sales and reputation and are left with unhappy customers who have been fooled.

“We help small businesses put in place cloud tools to protect web servers from denial-of-service attacks and help them choose tech tools and run staff education to prevent ransomware email compromise.”

The latest ACSC data shows the vast majority of attacks in Australia are still focused personal and business e-mail compromise.

“User education is really important because most of the attacks start off with a phishing e-mail and if the user isn't educated or aware, they'll click on the e-mail and the rest is history,” Mr Pal said.

“You can't always rely on a time-poor small business user being vigilant because they may be in a rush, click on an e-mail and boom. That's where we've got technology solutions built in which stop the attack even if the user does click on it by mistake. 

“We're taking a multi-pronged approach to protect the client as much as we can. It's an arms race between the good guys and the bad guys but it’s important to do everything you can to protect your business.

Cost versus risk: why SMEs can’t ignore cyber threats

On average, every six minutes in Australia there’s a cyber-crime reported, according to ACSC data.

For every large firm reported in the news for a cyber breach, there would be 20 SMEs we don’t hear about who have also been hit, Mr Pal said.

Another cyber security issue is that Australia’s Privacy Act has recently been reviewed, and legislation is likely to end the exclusion from compliance for businesses with less than $3 million turnover – so any business, regardless of revenue, will have to adhere to new privacy and online data protection rules.

“If your business deals with personal identity information or personal health information, soon you’ll have to comply with the Privacy Act no matter how small your revenue. Right now, most small businesses would struggle to comply.

National professional services firm RSM Australia is increasingly see the need for assessment of and assistance for small businesses.

Mr Pal said the biggest barrier to SMEs being cyber security is cost.

A Mastercard survey this month found the main barrier to more secure digital systems is price, with more than a third of small businesses cutting back on cyber security as they battle inflation.

“We see small businesses can't afford the high-cost packages on offer for large businesses, but who risk losing their business if their security is breached."

The Federal Government is committing $7.2 million to establish a voluntary cyber health-check program will allow businesses to undertake a free, tailored self-assessment of their cyber security maturity.

Businesses can use this health-check to determine the strength of their cyber security measures, and access educational tools and materials they need to upskill.

Small and medium businesses with higher risk exposure will also be able to access a more sophisticated, third‑party assessment to provide additional security across national supply chains.

The Federal Government will also invest $11 million in the Small Business Cyber Resilience Service which will provide one-on-one assistance to help small businesses navigate their cyber challenges, including walking them through the steps to recover from a cyber-attack.

RSM Australia has created a package accessible for SMEs that includes an on-site assessment of the business' biggest risks and how to deal with them. 

It involves a cyber security review, a security policy, user education training and integration of technology to protect an SME’s data and systems.

This cost effective package is designed to complement what the Federal government is offering where an SME may not have the skills or time internally to perform a voluntary cyber health-check and access educational tools and materials they need to upskill. The RSM package also includes some technology tools specifically designed to defend against ransomware attacks. This, coupled with the Federal Government’s Small Business Cyber Resilience Service will help SMEs to defend and recover from cyber attacks. 

“It’s important that small businesses are able to protect their data, reputation and customers from online threats, without breaking the bank,” he said. 

FOR MORE INFORMATION

If you would like to learn more about the topics discussed in this article, please contact Ashwin Pal or your local RSM office.