Hearing about the recent cyberattacks on large companies like Optus, Medibank, Latitude, Crown and Meriton, itâ€™s easy to think that such attacks only happen to large companies or organisations, but the truth is that cybercriminals are targeting small businesses more than ever before. In fact, small businesses are the target of 43 per cent of cyberattacks, and the frequency of these attacks is only increasing.
Unfortunately, many small business owners have the misconception that they are too small to be a target of cyberattacks. They assume that hackers only go after the â€˜big fishâ€™ â€” this is not the case. The truth is that cybercriminals view small businesses as low-hanging fruit because they typically have fewer resources and less sophisticated Cyber Security measures in place.
Another common misconception is that only businesses that handle sensitive information such as credit card details or personal information are at risk of being targeted. While it is true that businesses that handle sensitive information are a prime target, cybercriminals can attack any type of business and can cause significant damage to a companyâ€™s reputation, finances and operations. Your business might be just one stage of a supply chain and if yours or another within that chain becomes compromised, the rest are at risk of being affected.
Who could be a threat to your business?
Threats can come from anywhere, not just random internet criminals mass spamming email addresses. Criminals come in all shapes and sizes, such as an individual or even an organisation that looks and runs as a legitimate business. Threats can come from:
- Cybercriminals: those who are illegally trying to access your hardware, software and data, to disrupt your business or to obtain information or money.
- Current clients: disgruntled clients could try to compromise your information.
- Competitors: business competitors could try to gain access to your clients or data to gain an advantage over your business.
- Current or former employees: this could be through an accidental or intentional compromise of your businessâ€™ information.
How can an SME become a target of a cyberattack?
Small and medium-sized businesses can fall victim to various types of cyberattacks. This could be through theft or unauthorised access of your companyâ€™s hardware, computers and mobile devices, through infecting devices with malware like viruses, ransomware and spyware, by attacking your tech or website, by attacking third-party systems or companies you do business with or by sending socially engineered phishing emails and texts containing malware. These attacks can lead to data breaches, financial losses, business disruption and damage to a companyâ€™s reputation.
While at the outset, your business might not be directly targeted as your data is not seen as valuable as anotherâ€™s, your business is still going to be hit by indirect cyberattacks. These predominantly come in the form of phishing emails, where scammers send an email masquerading as a legitimate and reputable company with the aim of getting you to click a malware link or insert your personal or login details. According to Astra, 92 per cent of Australian organisations suffered a successful phishing attack in 2022, showing a 53 per cent increase from 2021. If your staff are unaware of what these look like, no matter how personalised they are for your business, your business will get infiltrated and voila, youâ€™ve just been hit by a cyberattack.
According to a study by IBM, the main cause of 95 per cent of Cyber Security breaches is human error. Human error in a security context means unintentional actions, or lack of action, by employees that cause, spread or allow a security breach to occur. This could be something as simple as accidentally clicking a link that downloads and installs malware or failing to use a strong password. With work environments becoming more nuanced, such as working from home, in multiple offices or needing to use a diverse range of applications to complete day-to-day tasks, it can be difficult to keep up with each userâ€™s activities, the number of usernames and passwords needing to be remembered and all the inconvenient security measures that the company puts in place, like two-factor authentication.
While people make mistakes, this presents a simple starting point for businesses to protect themselves from cyberattacks: train employees on IT risks and how to recognise scams and phishing schemes.
The consequences of a cyberattack can be devastating for small businesses. Many small businesses lack the resources to protect their websites, accounts and networks or to recover from a cyberattack, and as a result, many of them go out of business within six months of the attack.
How can I protect my business from cyberattacks?
Small businesses need to take Cyber Security seriously and implement measures to protect themselves against cyberattacks. These measures can include installing firewalls, antivirus software and security patches, implementing strong password policies, providing regular staff training and conducting regular Cyber Security risk assessments.
We have many other posts about how to protect your company such as how to restrict administrative privileges and by conducting a Cyber Security risk assessment but for now, here are some simple ways to protect your company:
- As mentioned, train employees on IT risks. This creates a Cyber Security culture within your business that encourages discussion around security and allows staff to ask questions if they ever are unsure.
- Reduce opportunities for human error. Implement privilege control so that employees only have access to the data and software they need to perform their roles.
- Create a clear policy on technology, such as employees using devices on company networks and having strong passwords, and then ensure these are being followed.
- Have someone in charge of IT and security. If youâ€™re heavily reliant on technology, it might be best to work with a managed service provider (MSP) to proactively monitor your systems and remove threats as they occur. They also ensure everything is backed up and can help your business by recommending IT systems that suit your unique business as well as grow your systems alongside your company growth.
- Work with your IT service provider to implement the Essential Eight Cyber Security framework that the Australian Government recommends all businesses adopt.
How an MSP can help with your IT systems
Managed service providers monitor your IT systems to stop threats in their tracks. By handing the responsibility of your systems off to someone else, it allows you as a business owner or decision-maker within your company to get on with the other daily tasks you need to complete. In business, you wear many hats and are often an expert in your field, so itâ€™s time to hire a business thatâ€™s an expert in IT systems.
Even better, try to work with an MSP that is also an expert in Cyber Security. Oftentimes, these are two separate businesses, either you working with both an MSP and a Cyber Security company or the MSP working with the Cyber Security company.
At Pronet Technology, we are both. About six years ago, we began to learn more about and specialise in Cyber Security so that we could adequately protect our clients and their systems, as well as our own because a breach on either end could infect the other.
Did you know, according to IBM, the average time to identify and contain a data breach is 280 days? Working with Cyber Security professionals means that threats and data breaches can be detected, contained and fixed promptly and that your systems are constantly monitored. They will implement a range of strategies to protect your business, like testing new software and updates on isolated machines for any potential holes in security before then installing these on your devices as well as informing your business of any security risks and weaknesses in your defences.
No business is too small to be a target of cyberattacks. Small businesses are particularly vulnerable because they often lack the resources to implement sophisticated Cyber Security measures. Cyber Security should be taken seriously by all businesses, regardless of their size, to protect themselves against potential cyberattacks and minimise the risk of damage to their reputation, finances and operations. Your business, its customers and your suppliers are too important for you to believe that youâ€™re never going to be hit by a cyberattack because youâ€™re â€˜too smallâ€™. You must be properly protected and prepared for when an attack happens.