• Six key steps in cyber security for small businesses

A ‘rising tide’: How small and medium-sized businesses can defend against inevitable cyber security threats

07 November 2018

Alex Serrano , Partner, Cyber Risk Advisory |

It is by now clear that in today’s digital economy cyber security incidents are a serious threat to any business. There is a true ‘rising tide’ in the frequency, sophistication, and financial impact resulting from cyber attacks targeted at Australian businesses, large and small.

For Australian Small and Medium-Sized Businesses (SMBs), how they protect against and recover from incidents can determine their future. It is now true that it is ‘not a matter of if, but when’ a business suffers a cyber attack. Cyber crime is a common threat to all businesses that rely on the internet, or technology, at any level to achieve their goals.

Cyber incidents triggered by cyber fraud, phishing attacks or ransomware that may only moderately impact large organisations could represent a serious threat to the viability of SMBs, no matter how lean and adaptable they are. 

For example, close to 20 per cent of SMB respondents to the 2017/2018 BDO and AusCERT Cyber Security Survey indicated they were impacted by phishing, while more than 15 per cent indicated they suffered malware and ransomware attacks in 2017.

Impacts on SMBs can range from direct financial loss (e.g. due to financial fraud or paid ransoms) to indirect and harder-to-track impacts of lost business, damaged reputation, and operational disruptions. Cyber incidents can even expose SMBs to the threat of litigation.

With cyber criminals becoming increasingly emboldened by the success of their activities, and more sophisticated and diverse in their methods of attack, SMBs must understand they can no longer ‘fly under the radar’. All businesses are now legitimate targets for cybercrime. SMBs need to be vigilant and prepare for cyber incidents accordingly.

Avoiding ‘false starts’ with cyber resilience

Venturing along the path to building true cyber resilience can seem a daunting prospect to many Australian SMBs, especially because of the increasing diversity of threats, the complexity of technology, and the sheer range of security options available. The complexity and the challenge is real.

The problem is magnified when approaches better suited to large and complex organisations, or to bespoke and localised contexts, are heedlessly applied to an Australian SMB and expected to work. Such misguided efforts can exhaust resources and cause dangerous delays in getting measures in place to deal with the real cyber threats SMBs face.

Fortunately, there are fundamental principles that business owners and leaders can adopt to avoid false starts and delays in developing true resilience against the tide of cyber threats. These, combined with an assessment approach and real experience in cyber resilience capability development in SMBs, provides the confidence that cyber threats can be efficiently and quickly addressed.

Australian SMBs should consider six key steps in starting their cyber resilience journey:

1. Consider what is at stake

  • What kinds of cyber incidents have happened to other businesses in your industry?
  • What digital assets could your business not operate without?
  • What third-party service providers does your business rely upon and what is the size of their risk exposure?

2. Understand your data and systems

  • What is the value (financial, operational, reputational) of your data and systems?
  • How are these data and systems protected?
  • Who would benefit from having access to your data or systems?

3. Look at the security of your technology

  • Have you deployed protective measures (e.g. suitable antivirus technology) across your entire IT environment?
  • Have you established strong control over systems access (such as enforcing role-based security, strong passwords, or two-factor authentication)?
  • Do you use email and web filtering and scanning solutions?
  • Do you use suitable measures (e.g. VPNs, traditional and ‘next generation’ firewalls) to access your data and systems remotely and across the cloud?
  • Are you confident your critical assets are protected against the most likely cyber incidents?
  • Have security specialists in both cyber security management, as well as specific security technology, informed your thinking? 

4. Train your staff

  • Can your staff recognise phishing emails and phone scams?
  • Do they know how to identify if a breach has occurred?
  • Do they know what to do in the case of a breach?

5. Prepare to respond to cyber incidents

  • Do you have a Cyber Security Incident Response Plan that is tailored for your business?
  • Is it actionable - have you tested it?
  • Does management understand and support the Plan?
  • Do you know who to call upon to help during a cyber security incident?
  • Do you know what your industry competitors are doing to protect themselves?

6. How best can you quickly achieve cyber resilience?

  • Have you performed a rapid cyber assessment to determine the gaps you need to address as quickly as possible?
  • Are you deploying the right resources in the right way? Cyber security can be very costly, so leveraging cyber security investments is key to sustainable security.
  • How do you measure the value of your security investments and track the value of each dollar spent towards reducing cyber threat exposure to acceptable levels?

Taking back control

The ‘rising tide’ of cyber security threats globally and in Australia is constantly evolving as cyber criminals rapidly intensify, develop and experiment with new ways to exploit IT and operational vulnerabilities. True cyber resilience - the ability to prepare for, protect against, respond to and recover from inevitable cyber attacks – is a core capability that SMBs must continually align and adjust. There is always a ‘trimming of the sails’ required to navigate an increasing ocean of threat. 

BDO and AusCERT’s Cyber Security Survey 2018/2019 is now open, providing respondents with a valuable opportunity to benchmark their cyber resilience against industry peers, once results are released in 2019.

Participate here

No better time than now

BDO is a partner of Stay Smart Online. Accordingly, BDO encourages businesses to take the time to reflect on their cyber resilience and consider whether a review is needed. You can find out more about Stay Smart Online including their alert service.

To find out more about building your business’s cyber resilience contact your local BDO Cyber Security expert.