Cybersecurity and the other 99.8%
It is not hard to see why the majority of small to medium enterprise (SME) owners in Australia feel that a cyber-attack would not impact them.‘2 out of 3 respondents (66%) believe a cyberattack is unlikely, even though in reality 67% of Small to Medium Businesses experienced a cyberattack in the last year’.
Keeper Security’s 2019 SMB Cyberthreat Study
‘2 out of 3 respondents (66%) believe a cyberattack is unlikely, even though in reality 67% of Small to Medium Business
experienced a cyberattack in the last year’.
Keeper Security’s 2019 SMB Cyberthreat Study
SME owners are told that they have enough protection via antivirus software. They feel that they are ‘too small’ to warrant anyone wanting to hack their business. They believe that employees ‘know enough’ not to click on dangerous emails.
Further, we only hear about big newsworthy cybersecurity breaches – such as BlueScope, MyBudget, ServiceNSW, Toll Group – which affect hundreds of customers and cost millions of dollars. However, large businesses like these (with 200+ employees) only make up 0.2% of the total Australian business count.
So, what about the other 99.8%?
Despite SMEs being the target of 43% of all cyber-crime, we never hear about these crimes. This leaves many SME owners asking:
How much can a cyber-attack really impact my business?
I discuss this question every day with Australian business owners and whilst the answer varies depending on their industry, size and existing cybersecurity strategy, we know from a financial perspective that the average cost of a cybersecurity breach for Australian Businesses is $276,323 per attack. This includes extortion costs (i.e. ransomware payments), recovery costs and revenue loss.
It does not include long-term indirect impacts such as brand and reputation damage, media management and potential legal implications.
We also know that larger organizations are usually confronted with larger overall security breaches, but SMEs experience a much higher relative negative impact. A 2019 IBM report highlights this, stating that:
’We found significant variation in total data breach costs by organizational size… smaller organizations have higher costs relative to their size than larger organizations, which can hamper their ability to recover financially from the incident’.
Cost of a Data Breach Report 2019, IBM Security
Over the past three to four years, hackers have also been shifting their focus from big corporates to SMEs, with one report finding a 424% increase in attacks on SMEs from 2017 to 2019.
The shift from the 0.2% to the 99.8%
The simple reason hackers are shifting their attention to SMEs is they are now much easier to hack. Driven primarily by major attacks in 2017 (e.g. WannaCry), large corporates have actively and continuously invested in cybersecurity, whereas many SMEs have continued with the status quo. Our research has identified three key trends that are leaving SMEs vulnerable to increased cyber-attacks:
- SME business owners believe that current systems protect them
More than 85% of Australian SME owners believe their antivirus software is enough to protect them from cyber-attacks. Unfortunately, antivirus systems only protect businesses from 47% of all cybersecurity threats. They are still an excellent foundation to block known threats and build a stronger cybersecurity system on.
- SMEs have fewer resources available to deal with initial and ongoing attacks
Many SMEs do not have the resources to identify and manage cyber-attacks, leaving 22% of small businesses unable to continue operating after a ransomware exploitation. When given the choice of losing a business, or paying a hefty ransom, the majority of businesses pay up. Once paid, there is a high possibility the company will be hacked continuously until the vulnerability is found and fixed.
- Cyber-criminals are playing the long game
Cyber-crime is becoming much more sophisticated and smaller businesses are often the gateways to bigger rewards.Criminals infiltrate SME systems with the aim to either obtain confidential details from larger firms or enter larger firm systems directly. For example, the global retail chain Target was hacked when a heating and air conditioning contractor was compromised.
On top of this, there has been a global increase in all cyber-attacks due to COVID-19, with hackers leveraging vulnerable people and vulnerable remote IT systems.
‘There is a growing cybersecurity gap between big business and SMEs that has been highlighted and has heightened during COVID-19… There should be a focus on developing cost-effective, easily maintained cyber solutions to help protect Australian SMEs now and into the future.’
Risks, mitigations, and interventions of mass remote working during the COVID-19 pandemic; Australian Cyber Security Cooperative Research Centre, 2020
Despite all this, there is good news for SMEs
There is one big advantage of being an SME over a large enterprise: external hackers will easily give up if they cannot breach the system.
Typically, hackers will use the same tried and tested techniques to hack multiple SMEs simultaneously, infiltrating the most vulnerable. They will target naïve employees with phishing scams, social engineering, and clickbait. Then, once infiltrated, a bot will automatically run malicious code (malware) on the computer, giving the hacker access to hold the company to ransom.
The key is to ensure your systems are not vulnerable to an attack. This means implementing a cybersecurity strategy.
The Australian Government has recognised the need for Australian businesses to increase their cybersecurity. The Australian Cyber Security Centre (ACSC) has recommended eight mitigation strategies (known as the Essential 8) that all organisations should implement as a baseline cybersecurity measure. Many large organisations have invested heavily to implement these recommendations to maximise their protection.
The good news is SMEs can also implement highly cost-effective cybersecurity management systems. These systems can significantly reduce system vulnerability, ensure business owners have clear policies to manage attacks, and ensure businesses are compliant with the ACSC Essential 8 recommendations.
The reality is, cyber-attack threats on SMEs will only increase as the workplace continues to evolve and criminals seek new ways to infiltrate businesses. Yet, strong cybersecurity management systems are built to adapt to new threats, using proactive measures rather than a continuous defence.
For SMEs, cybersecurity removes the power from the hackers and places it firmly back with the business owner, leaving the proverbial ball – or data – safely in their court. Thus, the success of cyber-crime in Australia is ultimately up to the other 99.8%.
What can law firms do to protect themselves?
The good news is there’s a solution. Firms can easily put in place systems and tools to dramatically reduce the risk of cyber attacks. Three key areas all business should implement are:
- Cyber Security Technology: being applications and tools which protect the business systems. The best guide for this is the Australian Cyber Security Centre’s Essential 8 mitigation strategies. This includes areas such as multi-factor authentication and regular updating of operational systems and programs. The Jam Cyber – Cyber Security Management System is compliant with the Essential 8 Strategies.
- Employee Training: unfortunately, innocent employee error is a major cause of cyber attacks. This includes both employees being scammed by external hackers and employees accidentally putting the company at risk and causing a breach. Training can reduce cyber attacks by 72%[xv] and also give employees more confidence in their online environment.
- Policies and procedures: in addition to systems and training, it is also important for businesses to have policies and procedures regarding cyber security and IT asset management. These documents act as a guide for employees to ensure they are always acting cyber safe. Further, policies and procedures should clarify what should occur in the case of a data breach as rapid action can greatly reduce the impact of an attack.
At Jam Cyber, our Cyber Security Management System includes all these areas. Contact our team today to ensure your law firm is cyber safe.
Jam Cyber & Cybersecurity Solution
Jam Cyber IT & Cybersecurity is focused on delivering IT solutions for small to medium Australian businesses. Our Cybersecurity Management Systems provide optimal cyber-protection at a cost-effective price, without needing new expensive server infrastructure.
We have nothing to hide, so you can view our prices and packages here!
Or contact us to discuss how we can protect your business.
10 ways to ensure your business is protected from the Log4j vulnerability In December 2021, a vulnerability was discovered in