Like it or not, these days we all have to come to terms with a new and very real threat: cyberattack. There’s not a single business owner I’m aware of who hasn’t been either a victim themselves or known someone who has, simply because of a naive trust in the internet of things.

Picture this: some neighbours of mine, a lovely older couple, recently received a knock on their door from a convincing con artist disguised in tradesmen’s overalls. He claimed he was there to fix their roof on the premise that it was in urgent need of repair. He then persuaded the lady to go out and withdraw $800 dollars from her bank account. When she returned home, her discovered her whole house robbed, including her most valuable and last remaining jewels. She was shattered, never to trust again.

Sadly, this degree of vulgarity is not just anecdotal – it’s today’s norm. In a 2018 report by PricewaterhouseCoopers, it was revealed than more than half of Australian companies have been affected.

It could very well be happening to you right now. You could be liaising with a fake ‘supplier’ that baits you with something that looks legitimate but is ultimately a poker ‘bluff’ – an email saying something like “We’ve been hacked and defrauded, so we’ve decided to change our bank details, please make your payment to our new bank account…” – so you go ahead with payment, and before you know it, the money is gone and you have no way of getting it back. This is just human error – but it happens more often than many people realise. In fact, 36% of data breaches occur this way.

Cybercrime is happening so often that our Federal Police can’t even keep up with it. It’s no longer a passing trend, and it’s not just hitting big business – small business is particularly vulnerable as their IT systems are comparatively weak, with only basic security measures in place, and they are often least able to withstand interruptions to operation. In fact, recent research by US telco giant Verizon showed that small business makes up 58% of businesses affected.

Not just an IT problem

This is an ongoing issue you must pay attention to – even if you outsource your IT!

It’s not just an IT problem, it affects every area of your business – so make being cyber aware part of regular weekly communication with all staff. Put it on every agenda in your monthly management meetings and in every staff induction. And don’t forget to include it in discussions with your broker.

Reporting a breach is now law

The impact of data breach rarely stops at your backdoor. A vast majority of Australian small businesses hold valuable data belonging to other parties such as clients, suppliers and staff.

In a move to offer these parties greater protection and remediation in case of breach, the Australian government introduced the Notifiable Data Breaches Scheme, an amendment to the Privacy Act 1988. Taking effect in February 2018, the Scheme requires any breach 

causing a leak of personal information that could be harmful be reported to the Information Commissioner. In this situation, there are very specific steps you must take, so make sure you seek professional guidance.

Most commonly, the situations where you would be required to report a breach are:

1. When you are the victim of a malicious cyberattack, such as ransomware and malware
2. When you accidently share personal, confidential information with unauthorised parties

It can be complex to understand these issues and take appropriate remediate action – so make sure you assess your business’ susceptibility to this risk – again, seeking professional help is recommended.

Protect your hard drives

One of the fundamental tools every business needs to protect the data on their hard drives is encryption. Whether you operate solely on desktops and an on-site server, or you have staff out on the road with laptops and mobiles, the risk of sensitive data falling into the wrong hands is a very real threat to business operations, including GDPR compliance.  Using encryption to scramble the data renders it unreadable without a decryption password – an especially powerful safeguard for devices that are regularly transferred between users and locations.

In future, we may even see encryption become a legally recognised data defence strategy. Though not yet legal in Australia, it is proving successful in other countries, giving business owners and leaders the opportunity to not only better manage data protection internally, but avoid the headaches that accompany having to formally register a breach.

Review and plan

One of most important steps to protect your business from cyberattack is a thorough review of your IT security and systems. This is something you can lead your entire organisation in, making everyone an active player in your defence strategy.

Passwords are a great place to start. Review all your current passwords for strength and educate everyone on how to structure them effectively using complex combinations – that means no more using your name or date of birth! Strong passwords are generally a mix of:

1. a) upper case,
2. b) lower case,
3. c) numbers,
4. d) symbols, and
5. e) phrases (such as a quote, movie, song)

It’s also critical to have a process everyone knows on how to handle personal information. You may like to create FAQs for common scenarios like what can be shared, when, to whom and under what circumstances. Make it available at induction, on the company intranet, in common areas – anywhere it can be easily referenced.

Cyber insurance protection

Insurance is one of those things none of us want to need. But cyberattack can’t be taken lightly: assuming ‘it won’t happen to me’ puts you at risk of serious damage to your revenue and your reputation.

The risks come in all disguises: from malicious system attack, to a staff member downloading a fake link that appeared legitimate or you replying to a trustworthy supplier email not realising they’ve been hacked. These everyday things can all lead to information leaks and way too much exposure.

The framework of severity here is too broad to measure. If you end up in this situation, known as high frequency risk, without cover, the impact to your business will be much greater as you’ll have to throw all your resources at protection, plus take out the insurance you need.

Every day, the growing complexity and frequency of cybercrime puts Australian businesses at increasing risk. It’s a threat that can no longer be ignored – especially for small business. As a business owner, the responsibility to protect your data means you must act to protect not only your business and livelihood, but everyone who comes in contact with your organisation. Take the time to review your systems, educate yourself and your team and seek professional advice on how to manage your risk today. Don’t be afraid to ask for help – because the alternative could be much worse.