​5 cybersecurity survival strategies for Australian SMEs

By James Walker, Computer One

There were 700,000 ransomware attacks in Australia between January and May 2016 alone. With Australia’s reputably strong economy and digitally-integrated businesses and consumers, we’re the perfect target.

Cyber threats have become a major economic issue. While Prime Minister Turnbull recently appointed a Cyber Ambassador and the first ever Cyber Minister who will be in charge of implementing the National Cyber Security Strategy, these initiatives will take time before they directly impact the protection and security of Australian businesses.

SMEs are especially vulnerable – and increasingly targeted – because of their limited IT budgets, and their lack of expertise on cyber threats.

Here are 5 survival strategies SMEs should follow to maximise their security:

  • Understand the value of your data
  • Invest your IT budget wisely
  • Get an incident response plan… and practice it!
  • Don’t assume you can do it alone
  • Take a proactive approach to security

Many SMEs lack effective security strategies and have de-prioritised investing in security solutions because they don’t thoroughly understand the value of their data and the potential damage of their data being compromised or stolen.

To understand the value of your data, ask yourself these simple questions:

  • What would happen if my email system had a half-day outage? How would we let our clients and prospects know? What would they think of us? How would it impact their trust in our company and what would be the knock-on effect for our brand?
  • What would be at risk if one of our leadership team’s work laptop and/or mobile phone was stolen?
  • What percentage of my customer data and sensitive business data can be accessed by my employees, and how mobile is it? Can it be saved, emailed or deleted easily?
  • What would it mean for my business even if only 15% of our customer data was compromised?

Once you have the answers to these questions, you usually realise the importance of securing your organisation and you will start thinking differently about developing security strategies that address the cybersecurity threats facing your business.

As mentioned earlier, SMEs often have limited IT budgets and need to be very efficient in the ways they invest it. Most of the SMEs I engage in security conversations spend less of 10% of their IT budgets in security: this is far from being enough! Although there are no right answers as to how to invest your IT budget, securing your data and your access to it should sit at the top of your budget allocation.

There is indeed no point in investing in any given IT project if you are unable to guarantee the protection of the data it will handle. It is very important that SME’s business leaders understand that if you don’t spend enough on security today it will cost you a lot more to fix hacked systems (or pay hackers in the case of a ransomware attack) down the track.

Most companies with an incident response plan actually never practice it, which jeopardises the likelihood of the plan working in the case of a data breach.

Between the moment you ratify your incident response plan and the time you actually might have to use it, many people in your firm could have left and been replaced by new employees. Many of your internal processes – including in your IT team - might also have changed. It is important to practice – and adapt – your incident response plan at least every 6 months.

In today’s world, the question is not if your organisation will be attacked, but when, how and by whom.

Recruiting an external viewpoint on your organisation’s level of security is key in getting a full picture of how you are positioned against the wide and constantly changing external security threat landscape.

External experts can, for example, provide SMEs with a full audit of their systems and identify areas at risk that internal IT teams might not have been able to identify before. Because these experts usually have experience working with many different companies, they’re familiar with the range of threats that exist and how to counter them effectively.

While protective security is necessary, it is not enough. Once you get hacked, it is very difficult to turn the situation around and minimise the impact of the attack. Against the sophistication of today’s cyber threats, implementing basic security patches and firewalls won’t be enough and adopting a proactive approach is vital.

Proactive security means not only hardening your systems against attacks, but also anticipating and preparing to counter risky behaviours and threats from within or outside the organisation. This could include employees, clients, and partners.

Proactive security involves making security a business priority, allocating it specific and measurable KPIs and objectives. It should be a priority for every stakeholder - not just the IT team – and every employee should feel responsible and empowered to guarantee the security of their shared assets.

For SMEs to avoid – or at least minimise – the impact of a cyberattack, security has to be top-of-mind for all employees and a ‘security-first’ approach and mindset need to be embedded in the company’s culture.

Join the CSO newsletter!

Error: Please check your email address.

Tags SMEsnational cybersecurity strategyransomwarecyber securityransomware attacks

More about indeed

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by James Walker

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place