By Peter Maynard >>
HUNDREDS of thousands of Australian small and medium enterprises (SMEs) are at serious risk from cyber-attack, not only to themselves but also to others they deal with.
SMEs are increasingly becoming the target of choice for ‘bad actors’ and nation states looking for easy entry points to attack governments, critical infrastructure and larger enterprise – and this why.
Bad actors aggressively target SMEs because of their low cyber security posture and the valuable supply chain partner access and information they hold. It is much easier to steal sensitive data from a small business defence subcontractor than it is from the heavily fortified Defence department.
Or to elicit one employee’s username and password to gain system access than it is to ‘hack’ their way through a heavily fortified technical defence.
If there’s one thing we know about cyber criminals is that they are opportunistic and will look for the path of least resistance to achieve their objectives. Whether that’s deleting company data or holding it to ransom, shutting down a power grid, or stealing sensitive defence secrets, they’ll do it the easiest way they can, and this means targeting the weakest and most vulnerable.
COVID-19 has made rapid digital transformation a reality for almost any business trying to stay afloat. Irrespective of the organisation’s size or where they are in the world, it’s been: get online and do it fast!
But this rapid increase in reliance on technology is coming with an equally rapid escalation in cyber risk that’s leaving SMEs more exposed than ever.
The Prime Minister’s dramatic increase in support of cyber security has been warmly welcomed by most in the industry. Any cyber security program, whether Federal Government or small business, must be led from the top and there has been a gaping hole in Australia’s cyber leadership since Alastair MacGibbon (Australia’s former cyber security chief) exited 12 months ago.
With the heightened sense of urgency and authority, it would appear that Australia might be back on track with getting on top of cyber. But despite this resurgence in the importance and significance of defending against a heightened increase in cyber-attacks, are all organisations receiving the attention and support they need or are we fast developing a cyber ‘underclass’ in this country?
CYBER SECURITY UNDER-CLASS
Helping SMEs improve cyber resilience has always been a tough job. The Federal Government’s approach to date has focused on access to high level, self-help awareness resources like the Stay Safe Online program and Australian Cyber Security Centre’s (ACSC) Small Business Cyber Guidance.
And then there was the small business cyber security grant that really failed to hit the mark. But it’s not all doom and gloom. The Australian Cyber Security Growth Network (AustCyber) has been doing some great work supporting both SMEs directly and the innovative Australian companies that are building the solutions that will solve some of these problems.
Sadly though, this is where Australia’s cyber security strategy appears to lack the broader vision or the will and is running off the tracks. This is an area where we have seen little to no progression from the government over the past 4 years and the fear is that it may miss the boat once again in Australia’s upcoming 2020 Cyber Security Strategy.
We did learn something from the failed small business cyber security grant though. It further validated that small business isn’t going to get engaged on cyber without a stick or at least a much tastier carrot. So what’s the solution?
US TAKES APRA-LIKE APPROACH
The United States Department of Defense’s Cyber Maturity Model Certification (CMMC) program is set to commence in August this year and will require all Defense suppliers to assess their cyber risk posture and adhere to a set of standards.
It is just like the Australian Prudential Regulator (APRA) has done with financial entities and the third, fourth and fifth party suppliers that they use.
Governments at all levels can play a massive role when it comes to driving SMEs to engage on cyber security – and procurement is going to be the key.
Access to government work is somewhat of a holy grail for SMEs and they’ll do pretty much anything to get it and to keep it. If SMEs won’t engage voluntarily on making their businesses more cyber resilient then it’s time for the government to step in.
As the Australian Government finalises its 2020 Cyber Security Strategy it’s critical that we stop focusing on making the strong even stronger and broaden our approach and our thinking.
The return on investment from procurement driven cyber engagement programs targeted at SMEs would provide an uplift to national cyber resilience that would be unprecedented.
The most important point here is to start. It doesn’t have to be perfect. Just get something underway.
We may not have another four years to put this into the ‘too hard’ basket.
Peter Maynard is founder and managing director of Australian cyber security firm CyberMetrix.