Cyber security measures for small businesses

The recent Australian Cyber Security Centre Small Business Survey revealed that:

• Companies lost $300 million each year due to cyber attacks
• The ACSC receives around 144 reports of cyber attacks every day
• 62% of the small and medium business owners surveyed had experienced cyber attacks

If these figures alone aren’t enough to get small businesses owners reviewing their cyber security strategy, then take it from cyber security expert James Eling, and from small business owner Samantha Chua who has seen the impact of cybercrime up close.

What is cyber security?

“Cyber security refers to the processes that ensure the integrity and confidentiality of your business data and access to your systems,” explains James Eling, Director of IT business Extreme Networks.

Cyber security tools can include software, staff training and security-aware payment systems.

What are the different types of cyber attacks?

Cyber threats can come in the form of:

• Message scams that try to get you to send money, click on malicious links, or reveal personal data including passwords or credit card numbers; they could come via email, SMS, social media or phone calls
• Phishing attacks that might contain a link to a false website that encourages you to give up sensitive data such as the logins or passwords to your business’s social media accounts
• Ransomware attacks that leverage limited security measures to encrypt a business’s data and stop the business operating until a ransom is paid
• Malware attacks that use malicious software to gain access to sensitive data resulting in identity theft or other kinds of fraud

Why would cyber attackers bother with my small business?

“It’s a common misconception that small business owners don’t need to worry about cybercrime,” says James. “They hear about the big-scale attacks on large enterprises or read that the average hacking costs $1.5 million dollars and think, ‘Because I don’t have that kind of money, it won’t be worthwhile hacking my business.’

“However, attacks like business email compromise tend to involve amounts between $5,000 and $15,000 – enough to make it worthwhile to the hacker and enough to be seriously debilitating to a small business.”

What’s a business email compromise?

“This occurs when a cyber criminal intercepts an invoice from, say, one of your suppliers,” says James. “They duplicate the invoice so it looks exactly the same except for the bank account numbers. Often, these false invoices are paid and the business owner is none the wiser until the supplier starts following up their unpaid invoice.

“It’s a very insidious type of attack because it won’t necessarily get picked up by your security software. You might have done nothing wrong except to take it at face value.”

What should I do to protect my small business?

“At the bare minimum, you should use multi factor authentication (MFA) and antivirus software, and make sure you’re updating your software and applications regularly,” says James.

“You must have an automated system to back up your data. Sometimes data loss is due not to a cyber attack but just to human error – a staff member deleting an email thread you really need. Backups mean you can protect your business from this kind of inconvenience and associated operational costs.”

In his eyes, robust payment systems and staff training are just as important as IT security.

“Some accounting systems might flag a change in bank account details for a regular supplier but if not, your staff must be alert to any unusual changes in bank account details, and invoice regularity and amounts,” he suggests. “If in doubt, check it out.

“Don’t call the number on the invoice – go to the business’ website directory and call that number. It’s a five-minute call that could save you a lot of money and anguish. And consider lowering your daily transfer amount – [this is] a quick and free way to protect a potentially catastrophic interruption to your cash flow.”

James also recommends considering cyber insurance.

“It can be limited in its coverage but the process of applying is useful because it gets you to audit your business risks and ask yourself how your business would survive if you had to pay out [an] amount of money.”

A small business owner’s experience

“One of my websites recently got hammered with brute force attacks,” says Samantha Chua, director of Sincere Copy.

“At its peak, there were 300 login attempts in one hour. Fortunately my WordPress security software alerted me and I took quick action to make sure none of the client websites I manage were breached.

“I immediately enhanced security on every website and notified my clients to update their passwords. Thankfully, the attempted logins halved 15 minutes after I implemented the changes. Twelve hours later, everything was back to normal.”

Samantha has the following lessons and tips for other small business owners:

1. “While the attack was unsuccessful, one repercussion was that Google picked up my email address as spam, so I’d recommend setting up a separate email address specifically for site security notifications – that way, your main inbox won’t be flagged as spam if and when an attack happens.”
2. “If you’re hiring a web designer, make sure you ask them what cyber security measures they have in place. Luckily, mine were robust enough to protect my clients’ accounts.”
3. “It was reassuring to know that the cyber security software I use has the option to get in touch with a dedicated specialist who would be able to provide support to recover the site, should the hack be successful.”

“Don’t put cyber security in the too-hard basket or think ‘She’ll be right’. It’s not worth the risk!”