Cyber security is firmly in the spotlight after the recent high profile cyber attacks on Australian organisations including Optus, Vinomofo, My Deal and the rapidly escalating Medibank breach.
Cyber attacks are far more widespread than the few that are reported in the media. Incredibly, the government’s cyber security agency, the Australian Cyber Security Centre (ACSC), receives one report of cybercrime every 8 minutes! And last year they reported a 60% increase in ransomware attacks. The Optus and Medibank attacks are examples of these types of attacks, whereby hackers infiltrate an organisation’s IT systems to steal or lock up data and then demand a ransom in return for the stolen data or a copy of the decryption keys. Phishing scams are also on the increase – as most of us can attest given the almost daily texts, emails or phone calls from someone purporting to be from Amazon, DHL, Australia Post etc.
Aren’t cyber criminals just interested in big business?
In the business world, Cybercrime is not limited to high profile attacks on large organisations. Many small and medium sized businesses have been the victims of cyber attacks.
The most recent ACSC Small Business Survey found cyber incidents are very common for Australian small/medium businesses. Of the 1,763 businesses surveyed, 62% had experienced a cyber incident. The survey found that incidents were most common among businesses with five or more employees, affecting around three quarters of small (5-19 employees) and medium (20-199 employees) businesses.
Chris Pistilli, from our partner Synergy Security and Compliance, has worked with countless small and medium sized businesses across Australia. “I recently worked with a Not-for-Profit with 18 staff based in Western Australia. The organisation had been Crypto Locked which means that all their company data was encrypted and held to ransom. They were asked to pay $80,000 in bitcoin to a nominated account – which they did in the hope that their data would be released. After paying the ransom, their data was unlocked, but three days later it was locked again by the same hackers and this time the hackers wanted $100,000. At this point, with the likelihood of ongoing ransoms, they decided to engage specialist cyber security support. Whilst they didn’t pay the second ransom, the organisation ended up losing substantial amounts of data and took weeks to recover from the incidents.”
Sadly, the Australian Small Business & Family Enterprise Ombudsman has previously reported that 22% of small businesses breached by cyber attacks were so affected they could not continue operating. While 60% of small business that experience a significant cyber breach went out of business within the following six months.
Why is cyber crime increasing?
The COVID-19 pandemic significantly increased our dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. This dependence generated more opportunities for cyber criminals to exploit vulnerabilities. The ASCS states that “the increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations. The accessibility of cybercrime services – such as ransomware-as-a-service (RaaS) – via the dark web increasingly opens the market to a growing number of malicious actors without significant technical expertise and without significant financial investment”.
Our experience of working with NDIS Providers, NFPs and other small/medium business owners is that there are three main barriers to effective cyber security practices:
- Capacity – many small organisations don’t have dedicated IT staff and cyber security has to compete with other business priorities for the scarce resources available.
- Capability – cyber security is a complex field with many business owners and leaders both underestimating the risks of cybercrime and failing to understand the required mitigation strategies. Cyber risks are also constantly developing and changing, so cyber security practices need to evolve to meet emerging risks.
- Cost – while there are some simple measures that can be implemented to provide better protection, some cyber security solutions can be costly if they impact multiple systems and processes within a business. Disappointingly, the ACSC Small Business Survey found that nearly half (48%) of businesses spend less than $500 on cyber security per year!
How to better protect your business – and your clients!
There are a number of quick and easy actions that organisations can introduce to help prevent common cyber security incidents. At a minimum, TechAbility advises enabling automatic software updates, switching on multi-factor authentication, using passphrases, securing mobile devices and regularly backing up your devices.
In the case of the Western Australian NFP referred to above, their data losses would have been significantly reduced if they had been backing up their data on a regular basis. Training staff on methods of cyber attacks and how to identify cyber scams, phishing emails etc can also significantly reduce the risk of a cyber breach.
Many of these measures can be actioned by non technical staff and the ACSC has a series of excellent and easy to understand guides with step by step implementation instructions.
In light of recent events, many of our clients are now looking for more robust cyber security protection. Earlier this year, we commenced a partnership with Synergy Security and Compliance, a specialist security consultancy, to offer a Cyber Security Assessment service to our NDIS, Aged Care, Allied Health and NFP clients. This service provides an assessment against the ACSC’s Essential 8 Mitigation strategies, which are considered to be baseline mitigation strategies for all Australian businesses.
One of our objectives in providing this service is to strip away as much complexity as possible and provide a straightforward assessment and a clear action plan. After completing our Cyber Security Assessment in August, Belinda Reeves, COO of McCall Gardens Community, shared this feedback : “Chris [from Synergy Security & Compliance] and Anita [from TechAbility] clearly explained the process and made the Cybersecurity assessment easy for a non-technical person. The report we received outlined a clear and easy-to-read action plan on what our organisation needs to implement to meet the essential 8 standards. This will inform our training plans for our teams, policy review and ongoing threat assessments”.
Don’t leave it too late to protect your business!
Earlier this month, Clare O’Neil, Minister for Cyber Security warned “We are going to be under relentless cyber-attack, essentially from here on in… We need to make sure that we are doing everything we can within organisations to protect customer data, and also for citizens to be doing everything that they can”.
If you’re concerned about your organisation’s cyber security practices, reach out to us to discuss the options for more robust and secure protection for your business – and your clients.