Another discussion point in our ESG roundtable was cyber security which is now a 'supply chain' requirement for small business. In case you missed our article in the March/April magazine here it is.
Do you think that your business is too small for cyber criminals to target? Well you are mistaken as Jason LeGuier of Hotline IT explains.
One thing I often hear, is that cyber crime only affects a small percentage of companies each year. In fact the numbers are quite staggering - cyber crime is now significantly larger than both the adult entertainment industry and all drug crime combined.
It is by far the largest form of criminal enterprise here in Australia as well as globally, we’re talking around $15 Trillion USD globally in 2024.
For criminals, it is low risk, high return, with a low barrier to entry. It’s a fantastic business model. And make no mistake, cyber crime is a business. They have sophisticated marketing tools and campaigns, support services and teams of people ready to act instantly on any opportunity that arises. We’re unlikely to be victims of a targeted cyber attack, so lets look at how criminals target us with their broad net approach.
Every day, businesses are caught in basic, formula based cyber attacks. These include phishing emails, text messages and social media account breaches. Basically, the criminal has a database of people with contact details and “markets” to them using a common tool. It may be your typical “we couldn’t deliver your package” SMS message, or simply trying to guess your password. The aim is to get you to hand over your user name and password, preferably without you realising, then gain access to your emails, bank accounts or other systems. Once they gain access to something, they begin to look for easy money. Maybe it’s getting you to pay into a fraudulent bank account, or using your trusted email to defraud someone else. Does it work? Of course it does, or they wouldn’t do it.
As more and more of what we do moves online, the work of a cyber criminal has become much easier. Criminals no longer break in, they log in -as you. Please read that again and maybe pin it to the fridge in the lunch room. Managing cyber risk is a lot different to physical security risks. With our premises, we lock away the valuables and put physical challenges in front of would be criminals. In cyber space, where your email, bank account and online friends live, time and space don’t exist. You can be attacked by every criminal in the world, at once. They are all trying the locks to see if they can get in. With such a target rich environment, this is why they no longer spend time trying to break in. It is much easier to work through the list of passwords they have, or try to get your password from you, via some kind of phishing attempt.
How does this affect businesses?
- An employee is breached and they have access to or can spend your money. This is the most common breach I see. If you think you won’t fall for it, you’re a statistic waiting to happen.
- Your business is interrupted by a Ransomware attack and you are forced to pay a ransom. Despite us having good defenses against this type of attack, I am surprised at how prevalent this still is. And the numbers are increasing in Australia, with a 500% increase in 2023.
- You are used as a means to exploit someone else. Were you an Optus customer, a Medibank customer or one of the 10 million Latitude customers affected in the last 6 months?
It’s the third one that all businesses really need to start paying attention to. The first two cost you money if you are breached. The third, may cost you the business even if you are not breached.
Chain of responsibility
Large companies such as insurance providers, government agencies and multinational organisations are all acutely aware of the risk the supply chain brings. We are seeing an increase in supplier assessment of cyber security risk as large businesses look to control third party cyber risks by not doing business with companies that do not take cyber security seriously. In time, you won’t be invited to deal with large companies, or be able to get business loans, unless you demonstrate robust cyber security.
In the wake of the three big data breaches last year, the Government has also significantly increased both the penalties and powers of the Australian Information Commissioner. Fines of up to $50 million now can be levied against businesses large and small, that are found to be negligent in handling data privacy and data breaches.
5 things you should be doing right now
- Patch everything (update to the latest version of software), Some of the most used tools target vulnerabilities that were fixed years ago.
- Use a strong, unique password for all your online accounts. 12 characters are recommended, use 3 unconnected 4 letter words if you want to generate them yourself. I highly recommend using a password manager.
- Always use multi factor authentication if it is available, particularly on anything important.
- Provide cyber security awareness training for your staff. Great programs are available for around $100 per person per year.
- Run decent end point protection software on your devices to protect you from harmful applications and sites.
- All businesses are at risk of a cyber attack and unfortunately it is often the ones that believe they could not be a target, that are hardest hit.
If you have been impacted by a cyber incident, speak up within your industry. Only by raising awareness of both the likelihood and consequence of cyber incidents will we become safer business partners.
Hotline IT has allocated 20 complimentary Cyber Security Risk Assessments to Paint & Panel readers for businesses with more than 10 staff. Email: jason@hotlineit.com