There were 700,000 ransomware attacks in Australia between January and May 2016 alone. With Australia’s reputably strong economy and digitally-integrated businesses and consumers, we’re the perfect target.
Cyber threats have become a major economic issue. While Prime Minister Turnbull recently appointed a Cyber Ambassador and the first ever Cyber Minister who will be in charge of implementing the National Cyber Security Strategy, these initiatives will take time before they directly impact the protection and security of Australian businesses.
SMEs are especially vulnerable – and increasingly targeted – because of their limited IT budgets, and their lack of expertise on cyber threats.
Here are 5 survival strategies SMEs should follow to maximise their security:
- Understand the value of your data
- Invest your IT budget wisely
- Get an incident response plan… and practice it!
- Don’t assume you can do it alone
- Take a proactive approach to security
Many SMEs lack effective security strategies and have de-prioritised investing in security solutions because they don’t thoroughly understand the value of their data and the potential damage of their data being compromised or stolen.
To understand the value of your data, ask yourself these simple questions:
- What would happen if my email system had a half-day outage? How would we let our clients and prospects know? What would they think of us? How would it impact their trust in our company and what would be the knock-on effect for our brand?
- What would be at risk if one of our leadership team’s work laptop and/or mobile phone was stolen?
- What percentage of my customer data and sensitive business data can be accessed by my employees, and how mobile is it? Can it be saved, emailed or deleted easily?
- What would it mean for my business even if only 15% of our customer data was compromised?
Once you have the answers to these questions, you usually realise the importance of securing your organisation and you will start thinking differently about developing security strategies that address the cybersecurity threats facing your business.
As mentioned earlier, SMEs often have limited IT budgets and need to be very efficient in the ways they invest it. Most of the SMEs I engage in security conversations spend less of 10% of their IT budgets in security: this is far from being enough! Although there are no right answers as to how to invest your IT budget, securing your data and your access to it should sit at the top of your budget allocation.
There is indeed no point in investing in any given IT project if you are unable to guarantee the protection of the data it will handle. It is very important that SME’s business leaders understand that if you don’t spend enough on security today it will cost you a lot more to fix hacked systems (or pay hackers in the case of a ransomware attack) down the track.
Most companies with an incident response plan actually never practice it, which jeopardises the likelihood of the plan working in the case of a data breach.
Between the moment you ratify your incident response plan and the time you actually might have to use it, many people in your firm could have left and been replaced by new employees. Many of your internal processes – including in your IT team - might also have changed. It is important to practice – and adapt – your incident response plan at least every 6 months.
In today’s world, the question is not if your organisation will be attacked, but when, how and by whom.
Recruiting an external viewpoint on your organisation’s level of security is key in getting a full picture of how you are positioned against the wide and constantly changing external security threat landscape.
External experts can, for example, provide SMEs with a full audit of their systems and identify areas at risk that internal IT teams might not have been able to identify before. Because these experts usually have experience working with many different companies, they’re familiar with the range of threats that exist and how to counter them effectively.
While protective security is necessary, it is not enough. Once you get hacked, it is very difficult to turn the situation around and minimise the impact of the attack. Against the sophistication of today’s cyber threats, implementing basic security patches and firewalls won’t be enough and adopting a proactive approach is vital.
Proactive security means not only hardening your systems against attacks, but also anticipating and preparing to counter risky behaviours and threats from within or outside the organisation. This could include employees, clients, and partners.
Proactive security involves making security a business priority, allocating it specific and measurable KPIs and objectives. It should be a priority for every stakeholder - not just the IT team – and every employee should feel responsible and empowered to guarantee the security of their shared assets.
For SMEs to avoid – or at least minimise – the impact of a cyberattack, security has to be top-of-mind for all employees and a ‘security-first’ approach and mindset need to be embedded in the company’s culture.