- Small businesses are most at risk when it comes to suffering a cyber security breach.
- Security measures should include cyber plans on risk management, mitigation, response and recovery.
- Small business can take several practical steps to prevent cyber attacks.
Small businesses are especially vulnerable to cyber crime and the impact of a cyber attack can be catastrophic. According to Australian Federal Police statistics, 71% of cyber attacks occur in businesses with fewer than 100 employees. And 60% of SMEs close down within six months of an attack, according to the National Cyber Security Alliance.
“What this means is that cyber security is an issue for all SMEs,” says Geraldine Magarey FCA from Chartered Accountants Australia and New Zealand. “Anytime you use the internet on a business device, you become a possible target. Attacks are so common that you should assume your business will be targeted at some point in the future. The best way to protect against a security breach is to be vigilant and proactive and to have a series of cyber plans.”
Four plans are recommended by Magarey: a risk management plan to minimise the threat of cyber crime; a mitigation plan to limit the impact of any cyber attack on your business; a response plan so you know exactly what to do (and not to do); and a data recovery plan to ensure your business is up and running again as soon as possible.
If establishing four separate plans sounds like overkill for your small business, consider this. The federal government estimates that cybercrime costs Australians around $17 billion per year and says the average cost of a cyber attack to a business is $276,323. Possible impacts include compromised confidentiality of client data, reputational damage, regulatory fines and legal fees, damage to your credit and inability to secure bank loans, not to mention extraordinary inconvenience and decreased productivity.
Magarey and her colleagues at Chartered Accountants ANZ have published a detailed guide for SMEs and practitioners, explaining the four plans that every small business should have in place.
Related: Email scams target accountants and finance teams
Prepare yourself — a new breed of email scam is hurting finance teams and costing companies money.
Checklist to mitigate cyber attacks
This Acuity article provides a checklist of cyber security measures to help small business owners start a mitigation plan:
Always change your default passwords for all systems to something new that cannot be easily guessed and make sure you use unique passwords for each of your systems.
2. Security software
Security software helps protect your business against malicious or otherwise unauthorised network traffic.
Tempting someone to access malicious attachments and websites is a common technique to install malicious code onto a computer and compromise a network. Educate your staff to be wary of unsolicited emails and attachments.
Many small businesses do not have a dedicated IT manager. Where this is the case, appointing a person with day-to-day responsibility for cyber security is highly recommended.
5. Software patches
Keep software patches up-to-date and use supported versions of software. This is important to guard against malware infiltrating computers. Every time you leave any program unpatched, you’re leaving the door ajar for a cyber attack.
The best way to protect against a security breach is to be vigilant and proactive and to have a series of cyber plans
Make sure you backup your critical data on a regular basis (daily, weekly or monthly) with both offline copies as well as offsite storage of at least the weekly backup data. This ensures you have access to your information in the event a cyber security incident.
7. Non-administrator accounts
Administrator level accounts are targeted by attackers because they provide potentially full access to your system. By creating non-administrator level accounts and using them for day-to-day activities, you reduce the risk of network compromise.
8. Remote access
Staff with remote access can be targeted by attackers attempting to gain access to your network. To make remote access more secure, use ‘IP whitelisting’ and strong passwords. Also secure other public-facing services such as your web server, through activities such as independent website testing for vulnerabilities.
9. Critical information
Controlling physical access to data minimises the risk of theft, destruction or tampering. So does using encryption when this information is stored on portable devices or removable media.
Malicious behaviour is more likely to be detected if you automatically log information relating to network activities and computer events. Best practice is to retain these logs and regularly review them for changes to normal behaviour.
(To read full details, resources and further guidance on the above checklist, visit the Computer Emergency Response Team Australia’s website.)
Related: Protecting Our Cyber Future
Chartered Accountants ANZ has published an extensive guide to cyber security, as part of the future[inc] thought leadership series. Protecting Our Cyber Future includes an appraisal of the cyber landscape, the impact upon boards and executives, how organisations should prepare and the role of regulators.
Related: Risk management tool
The CA ANZ Risk management tool explains what risk management is and outlines the requirements for firms in Australia under APES 325. Includes a link to the Risk Management Framework.
Andy McLean is the former editor of Acuity and now a writer and content marketing consultant. www.andymclean.net