By Peter Maynard >>
IF YOU THINK cyber security is an IT issue, think again. Fast.
Despite two decades of information technology (IT) weaponry, cybercrime attacks and breaches are only escalating. The reason has surprisingly little to do with software.
Fortunately, cybercrime is starting to be identified for what it truly is, a whole-of-organisation risk that requires a much broader strategy than a good firewall and some anti-virus software.
Good cyber security guidance has always been difficult for small-and-medium enterprises (SMEs). Typically, it’s via internal IT teams or external IT providers. These guys will often have the latest tech solutions, but it’s simply not enough anymore.
Cyber criminals have shifted focus from frontal tech attacks to the largely unguarded side door, otherwise known as you and your people. Fake websites, fake emails, dangerous attachments, insecure links… this is known as ‘social engineering’ and it’s come a long way since African finance ministers’ cousins. One clever phone call and an attacker has access to your computer network, your credentials, your bank accounts, your data – your entire business.
Then there’s the question of what to do if you are breached. After all, what does your IT team know about managing reputation loss, responding to a regulator, or preparing to front the media and clients? Not a lot and nor should they. That’s not their job.
But maybe you think you’re too small to target or have nothing worth stealing. You’re not alone. Nearly 60 percent of SMEs don’t consider cyber crime to be a big risk to their business. About 44 percent don’t even consider strong security to be a priority – and 77 percent of SMEs believe their company is safe from an attack.
This is perfect for cyber criminals who can easily piece together masses of ‘small’ information from hundreds of organisations, or use smaller, easily-breached businesses to move up the supply chain to larger organisations or governments.
The fact is every organisation has something of value (its crown jewels), and so cyber security must be on the radar of every SME. In 2017 the number of small businesses that experienced attacks went from 55 percent to 61 percent. In one year.
For many of them, it was too late. Reputations destroyed; customer confidence lost; significant financial, data and productivity losses. In fact 60 percent of SMEs go out of business within six months of a data breach.
Whether your organisation is hundreds of people or just you, the numbers say you will be hit by cyber attacks. Some you won’t even notice. And even if you have invested in important security controls (defences) like next-generation firewalls, intrusion prevention systems, anti-virus software and monitoring tools, it’s important to understand they don’t provide a full defence. Nor do they address the whole range of other risk mitigation components and strategies you need to manage the risk that cyber attacks represent to your business.
No matter what size your organisation, the best starting point is simply understanding the eight critical areas that a holistic cyber risk management strategy should be addressing.
- Security culture – Cyber security is a risk issue that spans every part of your organisation and everyone has a role to play. How important is security to everyone in your business?
- Self Awareness – Every business irrespective of their size or sector has ‘crown jewels’ or digital assets of value. How aware are you of your digital assets and what you have to lose?
- External Awareness – The cyber security landscape is constantly changing. How aware are you of the threats and risks that your business will need to defend and protect against?
- Identifying your Digital Assets – Knowing what you have to protect is fundamental to being able defend your business. Do you know what digital assets you have, where they are and who has access to them?
- Preparing to Protect – Using technology solutions to protect against cyber attack is essential. Do you have the right tools in place to protect your business and its digital assets?
- Ability to Detect Intrusion – Despite the best preparation, even the biggest get breached. How well are you set up to detect an intrusion before it can cause serious harm?
- Ability to Respond - Cyber attacks are seemingly unavoidable for most businesses. How well prepared is your business to respond to the threats and minimise the damage?
- Ability to Recover – You’ve been breached. How do you go about rebuilding your business and your reputation? Who tells your clients? What’s your plan?
If you’re like most businesses, you focus on number five – your tech solutions. But the other seven are equally important.
Admittedly, this means a longer to-do list. The Australian Small Business and Family Enterprise Ombudsman released a great resource earlier this year titled Cyber Security: The Small Business Best Practice Guide. Their recommendation is to begin with an assessment of your business’s current cyber security.
A good cyber security evaluation should help you to prioritise your limited time, budget and resources by giving you a clear understanding of what you’re doing well and where your gaps are across your whole cyber security profile, not just your tech.
With this, you can develop a strong cyber risk management strategy – the goal for every SME. Without it, you will only ever be shooting from the hip.
So while it’s true the days of governments and software companies protecting us from cyber attacks are over, the good news is you can take control of your cyber security. With a little time and planning it doesn’t have to be hard or expensive. Regardless of what size you are, your turnover or your sector, the principals are the same.
And the most important thing you can do right now… is start!
Peter Maynard is co-founder and CEO of Australian cyber risk management advisory firm, CyberMetrix. CyberMetrix assists individuals and organisations of all sizes to understand and assess their cyber risk and partners with them to grow their risk management capability. https://cybermetrix.com.au
Why SMEs? Why now?
To the average cyber criminal, SMEs are the perfect soft target. They know they’re time poor and don’t have access to the same resources as the big guys. They typically think their firewall (router) and antivirus is enough or that they too small to target. And statistically, they’ll only try to do something after you’ve been attacked.
- 43% of cyber attacks target small business.
- 93% of breaches caused by human error.
- Over 50% of small businesses experienced a breach in 2017.
- 99% of computers are vulnerable to exploit kits.
- Attackers often target thousands of businesses at a time hoping one will bite.
- Attackers can use small business to infiltrate big organisations: Target in the USA was breached via an air conditioning contractor.
- On average it takes 120 days for a business to discover a data breach.