Small Businesses have the most to fear from Cyber Attacks

Leon Fouche , National Leader, Cyber Security |

16 May 2017

Following the worldwide ‘WannaCry’ cyber attack that took place on the weekend, leading advisory firm BDO said it’s Australia’s small businesses who are the most at risk from these types of future attacks.

Leon Fouche, National Leader for Cyber Security at BDO Australia said:

“Small businesses are an easy target for criminals as they don’t have IT teams to look after their environments and often pay the ransom to get their systems and data back.” 

“Any attack would immediately damage their reputation - to a point where they could have to cease trading overnight.”

WannaCry hit around 200,000 companies and organisations in 150 countries with a ransomware attack.

“It originated in poorly protected workstations, which shows that training employees is necessary but no longer sufficient. Firms invest in security technology but this is being undermined by different attack methods,” Mr Fouche said.

“This type of cyber attack from criminals is not new to Australia.  The recent BDO/AusCERT survey showed that nearly a quarter of the organisations surveyed experienced a ransomware attack in the last 12 months and that just over a third of those organisations had an cyber incident response plan or capability in place to deal with the incident”.  This means that many small organisations are at risk of being targeted by ransomware attacks and don’t have the capability to respond to these types of attacks.”

“It is also important that organisations should be aware that if they choose to pay the ransom, they are ultimately supporting organised crime. This should be the last option and reported immediately to the authorities.”

The introduction of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (due for enactment by 23 February 2018 at the latest) means businesses of any size or focus must be able to call upon cyber advisers with a high calibre of expertise to help them both prepare for a cyber incident and recover.

Once the legislation comes into effect it will be mandatory to disclose any case where there are reasonable grounds to believe an eligible data breach has occurred. Businesses must advise the Privacy Commissioner and contact all individuals whose data may have been compromised – supplying call centre details and providing public notifications. Individuals have a right to query what information was leaked.

“Small Businesses need to have a Cyber Incident Response Plan in place to respond to and report on cyber-attacks as quickly as possible.  Without such a plan, adhering to the new legislative requirements will be very challenging and businesses could find themselves wrong-footed by an unsuspecting attack,” Mr Fouche said.