Small businesses are ill-equipped to deal with cyber attacks and a lack of reporting requirements means Australia’s digital security agencies are in the dark about the extent of the crime, according to HLB Mann Judd Melbourne partner Kapil Kukreja.
Mr Kukreja said the SME sector had been slow to respond to potential cyber attacks and business owners needed to be more accountable, with 99.8 per cent falling below the turnover level – $3 million – for mandatory reporting.
“The US and Europe are much more advanced in collecting data, and that’s fundamentally driven by businesses reporting any breaches to authorities,” Mr Kukreja said.
“Given 99.8 per cent of Australian businesses are SMEs, it does create a major disparity in knowing the true extent of cyber-crime across the country.”
“We have only one report which comes out of the Australian cybersecurity agencies. Nothing else.”
He said the recent Optus and Medicare breaches had increased consumer awareness of cyber-crime, but SMEs should be putting up to 5 per cent of their IT budget towards prevention and response.
“This is a guide and it will depend on a range of factors, such as nature of the business and complexity of its systems,” he said.
“Systems become complex when they are interacting with other systems, which is normally the case … So how many systems are in place, how are they connected to each other? What information is flowing from one to another?”
“There’s room for improvement across all sectors but particularly within the SME sector, as they don’t typically have the resources to manage should a cyber breach occur. Hackers are all too aware of this.”
But regardless of the type of business, it was an ongoing process.
“The key for SMEs is they need a budget set aside, along with a formal cyber strategy and cyber response plan, it’s about smart spending and it can’t be an after-thought.
“It's not set-and-forget – we need to continuously review, continuously update, because new vulnerabilities are coming day by day.”
“There have been instances where SMEs have been the victim of a cyber security attack and have gone under within six months.”
Mr Kukreja recommended the following tips for SMEs in mitigating a cyber breach:
- Make cybersecurity the responsibility of the board and those charged with governance.
- Implement the Essential Eight framework to raise the baseline of cybersecurity and resilience in line.
- Implement cyber security solutions.
- Consider and perform a stress-test – there are companies that can perform a simulated hack of a business to identify vulnerabilities in the IT environment.
- Prohibit downloading of apps or software by all employees. Every unauthorised app or software provides an opportunity for a hacker.
- Review how much information is collected and stored about customers and suppliers, and if anything is not required or obsolete, delete it.
“There are well-known examples of cybersecurity breaches but it can happen to businesses of any size. And the reality is unfortunately it will happen – it’s not a question of if, but when,” he said.
You are not authorised to post comments.
Comments will undergo moderation before they get published.