Government guidance recommended for new cyber tax breaks

12 April 2022

BDO and AusCERT say the federal governments technology investment boost is a good first step to heighten the resilience of Australian businesses. However, there is a need for business guidance to avoid another ‘pink batts’ fiasco. The emergence of questionable ‘pop-up’ providers is a reality, say the industry experts.

On 29 March 2022, as part of the 2022–23 Budget, the Australian Government announced it will support small business via the Small Business Technology Investment Boost and Small Business Skills and Training Boost.

Small businesses with annual turnover of less than $50 million will be able to deduct 120% of eligible training and assets, such as cyber security systems or subscriptions to cloud-based services, in their 2022–23 tax return.

AusCERT and BDO are calling for guidance to be provided for SME’s looking to take advantage of the government incentives to mitigate the chance of inadequate governance.

“AusCERT recognises the significance of the latest federal government announcement and hope the promise will be matched equally by delivery,” said AusCERT Director David Stockdale. “While it is easy for a government in the runup to an election to make promises, the true benefit is in recognising the needs of SME’s and then delivering the training that will lift the cyber security posture of these organisations. This is a huge task, and with additional pressures on the already stretched Australian Cyber Security Centre to be actively involved with additional critical infrastructure requirements amongst other things, it will fall to the private sector to fill the gap.”

“Helping SMEs to understand the threats, assess their own risk landscape and implement proportional controls is critical, and is no easy task. Risk management and cybercrime awareness aren't the core business of most SMEs, and history has shown that even large corporates can fall victim to wide scale breaches if inadequate governance is in place over contractors such as managed Cyber Security Operations Centres,” noted David. “Training, and regulation of the training, needs to address these knowledge gaps - let's hope we do not see providers pedalling a "silver bullet" course and we find ourselves looking back and see another ‘pink batts’ fiasco.”

The latest BDO and AusCERT Cyber Security Survey found incidents requiring data recovery efforts also rose by 160% from 2020, suggesting that cyber attacks are becoming more destructive and laser focused.

BDO Partner and National Cyber Security Leader, Leon Fouche, said, “The technology investment boost is a great first step to heighten the resilience of Australian businesses. However, the government announcements to help drive training creates a ripe environment for ineffective training and providers to pop up.”

The BDO and AusCERT survey found that 2021 saw a staggering 175% increase for data breaches caused by accidental emails, such as ‘CC’ing’ instead of ‘BCC’ing’, indicating that staff security awareness training may not be as robust as needed in the wake of remote working arrangements

“With the steady increase in working remotely driven by the pandemic there is growing awareness of the need for training,” said Leon. “Indeed, our report showed that 1 in 4 organisations have invested in some form cyber awareness training. Yet most organisations don’t have a chief security officer, or specialist security contractor on speed dial to keep up with the rapidly changing landscape of cyber threats, so the government will need to be able to provide SME’s with a starting point and ongoing support to really help these incentives be impactful.”

The BDO and AusCERT Cyber Security Survey found that 60% of organisations use some form of cyber threat intelligence, meaning those who are not continually learning about new cyber threats are lagging behind their peers.

The survey identified several steps business can take to significantly lessen cyber incidents, including onboarding Security Operations Centres, implementing Cyber Awareness Training, undertaking Supply Chain Risk Assessments, and creating Cyber Incident Response Plans.  

“No doubt the incentives announced by the government will drive SMEs signing on to training and purchasing assets,” commented Leon. “Whether this means a business’s first training course for their staff or upskilling of those employees who already have some awareness training. What is key is guidance on how business can best invest so their efforts are most effective, including avoiding investment in poor training or assets.”

Stan Gallo, Partner, Forensic Services said, “Rather than just handing money to the SME owners and leaving them to it, an alternative approach might be to first guide them to where they can discuss the possibilities and get advice on technology investment that can take their business to the next level. There is a lot more to digital evolution than a flashy website or a cloud subscription and throwing money at SME business.

Stan noted that the Technology Investment Boost will be a great opportunity to enhance cybersecurity, but hardly revolutionary.

“The Technology Investment Boost is terrific for innovative tech driven start-ups and entrepreneurial business, but mature SME’s looking to grow still need to understand the basics of how technology can enhance their business, in addition to standard backend operations. Many people that have laboured over the years and built up a successful business, particularly in traditionally non technology driven areas, still need assistance to understand technology investment and how it can add value to their business operations.” 

“There is an increased risk the money will be spent on standard IT support and lacklustre training provided by questionable ‘pop-up’ providers,” cautioned Stan.

“The types of threats we are seeing continue to evolve in line with current events and technologies, but at their core, there remain many similarities. Phishing, ransomware encryption, business email compromise and data theft are still ever present,” noted Stan.

“However, there has been some insidious countermovement. For example, on the back of a growing trend of heightened preparedness and recoverability, thereby denying ransom payments, the ‘standard’ ransomware attack is now regularly linked to an initial theft of data to provide two bites at the cherry. If the victim is not going to pay the ransom – then maybe, they will pay to get their confidential data back. As usual there are no guarantees either way.”

Access the 2021 BDO and AusCERT Cyber Security Survey below:

BDO and AusCERT Cyber Security Survey