Cyber Security risks for small businesses

Decorative image

Cyber Security risks for small businesses

Every day we hear of a Cyber-attack on large or medium scale enterprise.  These could manifest themselves in the form of various attack types:

 

·       Malicious Data breaches using software that scans and monitor and steal passwords and information from the organization.

·       Accidental Data breaches though inadvertent sharing of sensitive information.

·       Phishing links sent to employee’s email, pretending to be an official from the organization.

·       Ransomware that locks down confidential files until a ransom is paid.

·       Brute force attacks that gain access to infrastructure and applications through internet facing webpages

·       Insider threats from employees with access to sensitive information who can knowingly or unknowingly misuse it.

·       Intellectual  property theft by competitors could occur to steal trade secrets or other information from the organization.

 

Cyber criminals can target the organisations in multiple ways namely,

·       By breaching the confidentiality of private or sensitive data.  this could the organisation’s own data or that of its customers, employees, suppliers etc.

·       By targeting the availability and accessibility of an organisation’s data and systems

·       By interfering with the accuracy or integrity of the organisation’s data.

 

While data breaches and Cyber-attacks are a common occurrence nowadays, we often hear from the owners of small businesses that they do not feel they are at risk of being targeted or likely to be impacted by cyber incidents.  their belief is that due to the size of their organisations, they are unlikely targets, and they also believe the impact to their businesses would be minimal.

However, as most small businesses have limited resources and resilience, we believe that small businesses can potentially be significantly impacted by Cyber-attacks and therefore should consider implementing some elements of protection. 

The elements of protection relevant or suitable for a small business would depend on the risks that are relevant to them. 

 

The Risks

 

·       Financial risk-  The cost of a cyber-attack can be devastating for small businesses that may not have the resources to recover from such an incident.

·       Protection of customers and partners- A breach of customer data can result in loss of trust and damage to reputation. It can also lead to penalties and legal consequences from the customers.

·       Business continuity loss of access to data, high costs of recovery, disruptions to income generating

operations etc.  could significantly disrupt business continuity of a small organization.

 

Some of the information assets that a small business might need to protect:

 

·       Customer data- This could include Personal Identifiable Information (PII) & Sensitive Personal information (SPI) such as names, addresses, phone numbers, email addresses, drivers licence details, medical records and payment card /  bank account information. A breach of this information might invoke some responsibilities for the business under the notifiable data breach act, Australian privacy regulations, as well as legal actions brought by impacted customers.  Any ransomware or other attack restricting access to this could potentially hamper the businesses’ ability to continue to operate.

·       Employee data- This would typically include PII & SPI as described above, but for their own staff and employees and contractors. Any breach of this would be similarly covered under regulatory and legislative considerations.

·       Intellectual property- This could be commercially sensitive information including contractual information, trade secrets, patents, copyrights, trademarks etc. that are unique to the business.  Any breach of this information could significantly hamper the business’ viability.

·       Financial data- This could include financial statements, payment card and bank account information, tax records etc.  If a malicious actor gains access to this, s/he could potentially be used to damage the business in various operational and strategic ways.

 

What should a small business owner do?

1.     Understand the data / information assets they are in possession of.

2.   Identify the risks to the information assets through any of the attack types listed above.

3.  Identify simple and easily implementable methods that would mitigate the risks identified and ensure the business remains viable in case of an attack or breach.

Some simple steps that a small business could adopt:

  1. Implement access controls including using Multi Factor Authentication, to restrict access to their applications and network (if using one).
  2. Ensure that their third-party applications are regularly patched.  If they are using in-house developed applications, then these should be tested for vulnerabilities.
  3. Ensure regular patching and hardening of any in-house hosted servers, if using any.  
  4. Invest in education and awareness building for all staff and team members, helping them be aware of potential risks, enable them to identify potential malicious attempts, as well as education on information safe work practices.
  5. Ensuring regular backups that can be used as a precautionary measure while recovering from a cyber incident. Choosing a backup system that is right for your organization is crucial.
  6.  Stay up to date with changes in regulations and ensure that their own internal policies and procedures are updated to align accordingly. This may include subscribing to free updates from Australian state and federal government bodies as well as other experts as necessary.

If you want to know more about this topic or need advice on maintaining or upgrading your organisation’s cyber security, then do contact us.