Login
iscover
High-risk organisations should be hit with tougher penalties, CPA Australia says, while small businesses need help to become data literate.
Newsletter
Cyber attacks ‘will be fatal for some SMEs’
18 October 2022
•
12 minute read
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
Some small businesses will fail to survive a cyber attack with the costs of shutdowns, investigations, and reputational damage simply too devastating, says the accounting body.
In the wake of the recent Optus hack, CPA Australia also condemns the cyber security regime for large telecom providers as “not fit for purpose” while urging the government to help SMEs seek redress when their data has been compromised.
“A breach of this scale and size should result in more stringent regulatory requirements and penalties for higher risk organisations,” the body said in its submission to the Productivity Commission’s data inquiry this week.
“The consequences of identity theft due to data breaches such as the one experienced by Optus customers can be numerous. Affected individuals (and businesses) could be forced to spend months ‘cleaning up’ … and may in fact still experience serious financial and credit problems for years after.
“Individuals and small business should be better supported to seek redress for the harm they suffer due to their data being compromised.”
If a small business itself has been hacked, figures from the Australian Cyber Security Centre put the average cost at $33,000, CPA Australia’s head of public practice and SME Keddie Waller said.
==
==
However, this hugely understated the real risks.
“When you think about what can actually happen to a business during a breach, this figure could be significantly higher,” Ms Waller said on CPA Australia’s podcast this week.
The hack might mean the SME would be forced to shutdown while it recovered or underwent investigation, which could be a month or more depending on the nature of the business.
“There's also the significant reputational damage to your business and that is not just an immediate but a longer term impact,” she said.
“So the statistics are actually showing us that some small businesses just will not survive a cyber attack.”
The CPA submission to the Productivity Commission urges the government to help small business become more data literate and suggests a two-tier approach to cyber regulation.
It says the government should impose stricter regulations and significant penalties for non-compliance on high-risk operations to “create disincentives for such organisations to collect large volumes of (often irrelevant) data in the first place and then not store the data properly”.
But it cautions against “imposing disproportionate regulatory requirements on lower risk businesses”.
If a small business discovered a cyber breach, Ms Waller said the first step was to check the legal requirements and if necessary report it, as well as notifying their insurer if they had cyber cover.
“If your cyber insurance has, for example, access to specialists, they'll be able to come in and actually start doing some investigations into your systems. If you don't have cyber insurance, then I recommend you call your IT support.
“One thing you should not do is immediately restore your previous data backup. What this actually can do is wipe any trace of how someone actually accessed your system and what data has actually been accessed during that breach.”
You are not authorised to post comments.
Comments will undergo moderation before they get published.