The need for SMBs to break bad cyber security habits has never been greater

There’s always been a latency between how cyber security is treated in the corporate world versus how it is approached by small businesses.

While it’s the big companies that have more to lose and are more likely to end up in the headlines, NortonLifeLock’s senior director for APAC Mark Gorrie said that many small and medium-sized businesses (SMBs) are easy pickings for cyber criminals.

The maths that giants like Microsoft use to justify investing billions in cyber security each year doesn’t scale as well for smaller entities.

As a result, Mr Gorrie said that small businesses don't have in house expertise nor the budget to invest heavily in protecting themselves.

“They may not have a lot of [cyber security] processes in place for their business, so that can make them easy targets,” he explained.

However, with the rise of hybrid and remote working amid the restrictions of the COVID-19 pandemic, the pressures for SMBs to get cyber security right have become even more pressing.

“They're going to have to make some level of investment, they can't sort of get away with doing nothing,” Mr Gorrie warned.

A recent report by the ACCC into scam activity in Australia found that scams reported by Australian businesses increased 260 per cent in 2020.

This report specifically highlighted business email compromise scams, which were responsible for $128 million in losses.

While there are a number of things that these businesses can do to deter cyber attacks, the journey towards making your business cyber secure is an educational one.

For many businesses, the old adage of set-and-forget needs to give way to a more proactive mindset.

According to Mr Gorrie, that approach starts with establishing and keeping good cyber hygiene habits.

Small businesses need to stop reusing passwords and start making sure their devices are protected by the most recent security and software updates. Even if these kinds of cyber security tips may seem rote or mundane, the reality is that it’s these

relatively boring processes that are most likely to deter cyber threats.

“I don't think the basics are overly complex or difficult, and it does make a big difference,” Mr Gorrie said.

Many of Mr Gorrie’s concerns are echoed by the Australian Cyber Security Centre.

“Cybercriminals continue to target Australian families, businesses, and organisations to steal sensitive information and money, including through business email compromise and ransomware attacks,” said an Australian Cyber Security Centre spokesperson.

While the ACSC said that small businesses remain large targets for cyber crime, a spokesperson for the organisation said that “there are simple measures that all businesses can implement to help to prevent or reduce the impact of a cyber security incident.”

It’s well-known that any cybersecurity strategy is only as strong as its weakest link. So having good cyber hygiene-centric processes and practices in place is a reliable way to weed out those weak links.

“When possible, multi-factor authentication definitely makes a big difference in terms of limiting access to compromised accounts,” Mr Gorrie recommended.

Effective backups are another weak spot that often gets overlooked. While many small businesses are used to the idea of backing up their data for safekeeping, Mr Gorrie said that it’s vital that this backup take place off-premises.

“A lot of people, you know, connect an external hard drive and leave it plugged in. If they get hit with ransomware, it’ll typically encrypt the backup at the same time as the original data,” he warned.

Good cyber hygiene gives small businesses a foundation to fall back on and the peace of mind to operate in an increasingly-digital world.

But for organisations who want to build on that foundation, it’s critical to wrap your mind around and become familiar with the idea of a threat surface.

Every point where the long-term logistics and everyday workflows of a small or medium-sized business overlaps with the internet is a potential vector through which an attacker could advance.

Of course, for many businesses, the threat surface doesn’t mean devices like your PC or smartphone. It also includes things like printers, routers, and smart security systems.

If it’s connected to the internet, it’s a tool that could be turned against the interests of a small business. Even cloud-based platforms like Google Drive or Dropbox can be a way in for hostile hackers.

Mapping out the threat surface of your business is a critical and necessary step for small business owners who want a more proactive approach to cyber security. Rather than waiting for something to go wrong, you’re looking for places where it could and then planning accordingly.

So, once you’ve wrapped your mind around the idea of a threat surfacing and broken those bad cyber security habits, what’s next?

Mr Gorrie emphasised the need for small businesses to familiarise themselves — and their staff — with one of the most common types of cyber security threats: phishing scams.

Phishing scams are as banal as they are effective. They prey on and take advantage of the assumption that users are operating in an environment free of cyber threats.

Most of the time, when users an open an email, they assume that its contents are legitimate and that the sender isn’t of malicious intent. That carelessness is what phishing emails prey upon.

Don’t click on unknown links and be wary of suspicious emails. It sounds like obvious advice, but the enduring popularity of phishing scams among cyber criminals suggests that it’s necessary.

“Many of these scams originate through a phishing email. And so people just clicking on that email end up clicking on the link or clicking on the attachment,” Mr Gorrie said.

Even if phishing scams aren’t all that destructive on their own, they’re often the precursor to the real cyber attack. A probe designed to find the weak link for a more serious ransomware attack.

Mr Gorrie said that defending against phishing attempts has become more complicated in recent years, since a lot of people now use phones as their primary device.

He said that small businesses need to remember that a staff member’s personal device can be just as valid a way inside for cyber attackers as a laptop bought and paid for by the business.

Since all it takes is one lax click to let a cyber attacker behind your defences, education can the best weapon here.

Awareness around phishing isn’t just something that the business owner should be looking into for themselves, but something that they need to ensure staff are educated about.

“Staff is a key part of the defence, but it's also the weakest link,” Mr Gorrie said.

“Awareness for the staff about what these attacks look like, how they come in and what they should be looking for is definitely critical,” he added.

Mr Gorrie has one final recommendation for larger SMBs looking to beef up their stance on cyber security: cyber insurance.

Brought into effect in 2019, Australia’s mandatory breach reporting regime requires all companies with an annual turnover of $3 million or more to report any and all cyber breaches to the Office of the Australian Information Commissioner (OAIC) and notify affected customers as soon as they can.

While smaller businesses won’t get captured by the current laws around breach notification, Mr Gorrie said that small businesses with high turnovers may be caught out by the law in the event of a data breach.

“That's where the cyber insurance can definitely help a business to ensure that they don't face financial ruin,” he said.

Small businesses are never going to be able to match the infrastructure spend and technology capabilities of their corporate counterparts when it comes to cyber security, but that’s no excuse not to try.

By making smarter cyber security choices rather than relying on business as usual, SMBs can minimise their own risk and do the best by their customers.