Victoria’s government will go to the looming state election committed to its “lofty” goal of helping the state become one of the world’s top five cybersecurity R&D centres within the next decade, minister for trade and investment Philip Dalidakis has promised as he this week launched an innovative cybersecurity services bundle for small businesses.
The state’s position of encouraging cybersecurity industry development was, he said, a contrast to a Morrison government policy change that had eliminated formal Innovation and cybersecurity portfolios, instead handing it off to federal minister for industry, science and technology Karen Andrews.
The move is “a real retrograde step that does potentially send a poor signal to industries right across the spectrum,” a “disappointed” Dalidakis told CSO Australia.
“I would argue that science and technology are subsets of innovation, but they are not in and of themselves just ‘innovation’. The concern I have is whether or not people view the decision as somehow negating the need to innovate.”
Small-biz security as a service
Such signals conflict with a climate of cybersecurity support that is, he said, working to build up cybersecurity skills in small businesses whose owners generally lack the time and resources to effectively protect themselves.
The sector-wide lack of cybersecurity expertise is likely to make small businesses receptive to bundled packages of skills and services such as that launched this week by Melbourne-based cybersecurity consultancy Enex Carbon.
The firm’s CarbonCore security management portal includes security services and auditing capabilities designed specifically to help small businesses identify and remediate issues with their security protections.
A free Basic plan includes a cybersecurity policy document, cybersecurity basics handbook, and cybersecurity incident management process document.
Taken together, Enex Carbon CEO Mark Jones said, these documents provide guidance for small businesses that will help them better understand their security exposure and how they can proactively address that exposure by engaging staff.
Such capabilities often require the support of cybersecurity consultancies that are generally focused on larger clients and don’t have the resources to provide one-on-one support to Australia’s more than 2 million small businesses.
“Most small businesses just aren’t on the radar for professional services organisations or anyone else in the market,” Jones said. “They just don’t have the money. So we’ve really thought about what we do in the professional services group, and how we can scale that back to suit.”
Helping small businesses care about security
Guidance on a breach response is also critical, particularly given that this year’s notifiable data breach (NDB) legislation requires all but the smallest businesses to follow prescribed steps to manage a data breach and its aftermath.
Most organisations would struggle to present a coherent response plan when asked: a recent Switchfast Technologies survey, for one, found that 35 percent of employees don’t even know if their company has an incident response plan in place.
Enex Carbon has aimed to address this deficiency with monthly plans that include a number of services to support incident response plan and security assessments.
The $190 per month Standard plan, which supports up to 20 staff and includes an annual security awareness assessment, website security scan, security threat and risk assessment, and weekly incident alerts.
A $290 per month Premium plan supports up to 40 staff and ads advice and triage support during a cybersecurity incident; an annual management briefing; an annual review of the company’s cybersecurity incident response capability; and monthly educational topics for all staff.
Such topics may be completely for many small business owners, but their importance in the bigger picture means that private and public initiatives must work hard to educate them about the very real risks to their businesses – and to help them be ready if disaster ever does strike.
The Victorian government has already been working to inject cybersecurity topics into its discussions with farmers – whose adoption of efficiency-improving Internet of Things (IoT) sensors and other devices opens them to potential compromise or sabotage by outside actors seeking to gain competitive advantage, or just to disrupt Australia’s food supply chain.
“There is a lot of technology transfer and change in the agricultural community, and every time you can use technology to use your resources in a more efficient manner, it helps everybody along the way – but you need to make sure that farmers are aware of those security limitations and are doing what they can to prevent them.”
Addressing the small-business skills gap
Cybersecurity skills remain well behind demand, but Dalidakis hopes democratisation of cybersecurity expertise may help. He pointed to the recent decision to support Box Hill TAFE’s Certificate IV in Cyber Security so that it can be offered free to the public, and hopes that other institutions will follow as the government seeks to support private-sector service initiatives like CarbonCore as well as broader educational goals.
The small-business sector “is probably the least protected and least knowledgeable about what they need to do and how to do it,” he said.
“We are here to help people work in the industry, and to skill and train them. The threats aren’t any greater than they were 50 years ago – but they are being disseminated in a very different way.”
“So, any change that we can engender is actually positive change. And I will support any player that comes to market with an opportunity to support the market with products that enable them to improve. Any change that we can engender is actually positive change.”
David Braue attended CarbonCore launch as a guest of CarbonCore.