Serenity Now: Australian government releases small business cybersecurity guide

The Cyber Security Best Practice Guide offers 'three quick steps to serenity' for small business operators to understand the risks and how to prevent cyber attacks.
Written by Asha Barbaschow, Contributor

The Australian Small Business and Family Enterprise Ombudsman has published a Cyber Security Best Practice Guide, hoping to help small business operators in Australia prevent, or better prepare for, a cyber attack.

According to the guide, small business is the target of 43 percent of all cybercrime, with the government citing research published early 2016.

Following the WannaCry and Petya ransomware campaigns that caused havoc globally in 2017, the ombudsman said 22 percent of small businesses breached by the attacks were so affected they could not continue operating. While 60 percent of small business that experience a significant cyber breach go out of business within the following six months.

Another statistic highlighted by the guide [PDF] is that 87 percent of small businesses believe their business is safe from cyber attack because they use antivirus software.

Ombudsman Kate Carnell said many small businesses lack time and resources but cannot afford to be complacent about cybersecurity.

"Cyber criminals are becoming more sophisticated and small businesses are particularly vulnerable," she said in a statement.

"Online threats are just as real as physical threats. Cybersecurity needs to be taken seriously, like having locks on your doors and a burglar alarm."

Carnell said small businesses shouldn't be afraid of "going online" because the opportunities and benefits could be immense.

"Many small businesses have successfully blended their physical and virtual shopfronts to establish sustainable operating models," she said.

"It would be an incredible shame if small businesses shut themselves out of the online market because of fears about cybersecurity.

"There are risks attached to most activities, even crossing the road. Taking sensible precautions broadens opportunities and heightens the rewards."

The guide offers up three "quick steps to serenity": Prevention, well-being, and response.

The guide encourages small businesses to undertake regular backups, patch applications, use complex passwords and use two-step authentication, and to limit access to administrator accounts and sensitive information.

In attempt to do things "safely" the guide asks small businesses to communicate safe practice and talk about cybersecurity frequently within the workplace, browse safe sites, and only install trusted applications.

"If you think an attack has happened, tell staff and tell the authorities," the guide states. "Restore backups from before the incident. Consider cyber insurance."

Speaking last year at the ASIAL Security Conference in Sydney, Carnell said a lot of small-to-medium enterprises (SMEs) operating in Australia don't think they have anything warranting a cyber attack, believing criminals instead would target the "big guys".

"They know the big guys have really cool systems and they know the little guys haven't," she explained. "Cyber criminals now are attacking small businesses as a result, very, very regularly."

30 percent of small businesses reported experiencing a cybercrime incident in the year to mid-2015 -- a 109 percent increase over the year prior. Carnell, however, is certain that figure was a lot higher as a lot of small businesses don't want to admit they've fallen victim.

Australia is a nation of small business operators -- defined by the ombudsman as business employing less than 20 employees and by the Australian Taxation Office as businesses turning over below AU$10 million.

As of July 2017, 97 percent of business in Australia were small businesses employing less than 20 employees -- that is 2.1 million individuals employed by a small business.

Carnell added that many do not have a chief operating officer, in-house lawyers, or IT folk. They don't really get cybersecurity even though they know it's a problem, and the CEOs are often actively running the day-to-day business with an office structure around them. As a result, cyber protection is often forgotten.

"This is starting to be a bigger impact among our economy ... than some traditional forms of crime," she explained, but noted that the challenge for many SMEs is they don't know how to protect themselves.

"The reason they don't know how to deal with it is that there's so much stuff in the space across government ... there's a lot of different parts of the federal government dealing in the cybersecurity space."


Ombudsman says SMBs are a growing target for cybercrime in Australia

As the threat escalates, Australian Small Business and Family Enterprise Ombudsman has said knowledge of where small-to-medium businesses should turn in the event of a cyber attack is also unclear.

Government should protect Australian businesses from cybercrime: Shorten

The Labor leader has said the Australian government needs to help businesses in the country combat cyber threats, but noted that it cannot do so alone.

Australian SMEs consider antivirus software sufficient defence: MYOB

87 percent of small and medium-sized enterprises surveyed by MYOB consider themselves safe from cyber attack because they use antivirus software.

Why SMBs are at high risk for ransomware attacks, and how they can protect themselves(TechRepublic)

Ransomware cost businesses more than $1B last year, and SMBs are particularly susceptible to attack. Here are some tips and best practices for keeping your company safe.

Cyberinsurance is gaining steam for smaller businesses(TechRepublic)

Cyberinsurance used to be only for large corporations, but policies are becoming available for small and medium-sized businesses. Read advice about what to consider before purchasing a cyber policy.

Editorial standards