It’s time to stand back, evaluate your position and take cost-effective measures to prevent a very pricy breach.
It might surprise you that the biggest threat is not the immediate monetary loss from a phishing scam. This article will showcase what the real costs of a cyber breach are to a small business.
We will walk you through the Essential 8 mitigation strategies advised by the Australian Government and pinpoint the minimum IT measures you should take.
First, some key stats from the Australian Cyber Security Centre (ACSC) 2020/2021 Annual Cyber Report:
Table of Contents
Click the links below to move quickly to that section.
What is the Essential 8 Cyber Security?
There is a wide range of technical solutions to prevent malicious software attacks on your business and the government prescribes the Essential 8 mitigation strategies.
The ASD Essential 8 cyber standard via DISP accreditation is a requirement if you are an Australian business currently working with the Australian Government Department of Defence or seeking to partner with them.
Prevent malware delivery & execution
The first phase of cybersecurity acts like a shield to block the brunt of the attack. Whether they start as phishing attacks, hacking or malware there are 4 protections to put in place:
1. Application control: This prevents unapproved and possibly harmful programs from installing and running on your computer system.
2. Configure Microsoft Office macro settings: With proper configuration, you should only allow trusted machines and individuals from accessing your business’ data from the internet.
3. Patch applications: Always use the latest version of an application. Patches serve to protect your technology from newly identified threats.
4. User application hardening: Block ads and such on the internet. Disable unneeded features over the various platforms you use such as your web browser and Microsoft Office. The less open you are, the fewer points of attack entry into your business there is.
Limit cyber security incidents
Sometimes you can’t prevent an attack. You can make sure a breach doesn’t extend too far or results in stolen data.
There are 3 mitigation strategies to put in place:
5. Restrict administrative privileges: Your operating system should be programmed to only allow certain individuals to access sensitive information. Those administrative privileges should be regularly revalidated and those privileged accounts should not be used for casual web browsing, email checking, or while working remotely in an insecure Wi-Fi environment.
6. Multi-factor authentication: Passwords are easily hacked. All of them should be made secure with extra identification proof, especially when working remotely or when trying to access important/sensitive data.
7. Patch operating systems: Always patch and update your computer and network devices to the latest operating system so they can be protected from the newest threats.
Recover data and system availability
In last resorts, when you are attacked by ransomware or your data has been corrupted, all you can do is cut the losses and recover a previous version of your data.
For that recovery to be successful you need:
8. A daily backup system: All your important new and changed data should be backed up. Software and configuration settings should be stored safely and disconnected from your system, so as not to be at risk. Establish what are your important/private data and what the retention period should be for each (finance might need to be stored for at least 7 years while configuration settings only 3 months). Regularly test your restoration backup.
The 8 strategies are proven to be effective and the government recommends them to all businesses, no matter their size.
What can a cyber breach cost a small business?
Cybersecurity is an not urgent strategy on most agendas. Even after suffering a cyber incident, the Australian Cyber Security Centre found that 72% of breached small businesses thought it unlikely they would get attacked again and took no real measures.
Your reputation is at stake
Inadequate security puts your reputation on the line. Since 2018, the law has become stricter regarding the reporting of theft or loss of private data via cyber incidents. The current regime dictates businesses to inform both the Office of the Australian Information Commissioner (OAIC) and any individuals that may be seriously harmed by the breach.
Of course “serious harm” is relative, it includes physical, financial, psychological, reputational and emotional harm. The seriousness is judged on a case by case basis studying such things as:
- The sensitivity of private information that was compromised (name, date of birth, email, address, health information, payment details)
- The security protections put in place to protect data
- The type of people who stole the data
- The nature of the harm caused to the people whose data was compromised
- How much of the harm can be prevented by remedial actions from your business
In all those cases, you have to notify your customer. If your site has been hacked and all the contact details, names and passwords of your clients have been stolen, you have to send a warning to every person at risk and advertise the breach on your site.
This kind of publicity can be hard to recover from as trust is the most important and the hardest feeling to foster in customers.
Human errors can cause data breaches
It’s important to note that breaches are not limited to malicious attacks but also include human and system negligence. Common problems that you might have to inform clients about, and that could greatly diminish your trustworthiness are:
- Losing laptops or getting your hard drives stolen
- Giving access to sensitive data to unauthorised employee
- Sending an email or forwarding information to the wrong person
In some cases, you can take action to stop the breach in its tracks. But for that, you need fast thinking and a plan can help you there.
Do you have a plan to mitigate the risks of data breaches?
Accidents happen. Cyber attacks will prod at your business and test your defences. What is essential is to know where you stand, see how much you can prevent and be prepared.
To prevent malicious attacks:
- Get a Cyber Security Audit
- Hold regular training for staff
- Assign a person or team to the responsibility of updating security plans, training and keeping informed with the ACSC.
- Create various case scenarios “Data Breach Response Guidelines” in clear language.
3 Practical Ways to Protect Your Business
Small businesses might not have the means to have all Essential 8 strategies implemented but there are a few protections you should prioritise.
1. Implement daily backups
All your importantdata should be backed up. Software and configuration settings should be stored safely and disconnected from your system, so as not to be at risk. Establish what are your important/private data and what the retention period should be for each (finance might need to be stored for at least 7 years while configuration settings only 3 months). Regularly test your restoration backup.
An IT specialist should set it up to fit your business’ needs.
2. A Cloud-managed antivirus with patch management
Everybody is now on the cloud and if you don’t have the appropriate antivirus you are at greater risk. Keeping your software updated is also essential as any machines not up to date are more vulnerable to malicious code.
3. Multifactor authentication
Relying on a single password is not safe anymore. It only takes 5 seconds to hack an 8 lower case letter password with brute technical force. Since most people often use the same password over a variety of platforms. But adding an extra authentication method makes it almost impossible to break through.
What should you do if your small business is compromised?
If you should take out anything from this article it’s the following recommendation: prevention and planning ahead can save you a costly recovery.
No matter how big your business is, you should be prepared for malicious or human error data breaches. Always have backups and plans in place for the eventuality of a cyber threat.
If your business is the victim of cybercrime and you have lost money, please be aware that it is extremely unlikely that money will be recovered. So it is important to contact your bank immediately – or any other institution that you used to transfer money such as PayPal, Western Union, Facebook, Gumtree etc.
To help stop other people from falling victim to the same issue, report the incident to the Police. Your report will also assist the Australian Cyber Security Centre and law enforcement agencies to disrupt cyber-crime operations and make Australia the safest place to connect online.
And if something goes wrong tell your customers honestly. Transparency is key to trust. Rebuilding confidence in your brand is possible when people know you are working at improving and see you get out of your way to ensure their safety.
How to notify affected people of a cyber breach
- Give out the identity and contact details of the organisation at fault
- Summarise the fault
- Outline what information was leaked or stolen
- Pinpoint the steps affected individuals should take in response
Be reactive when there is an issue you cannot solve. Call a specialist to make sure your business is adequately protected and you are covering all your bases.