Cybersecurity is fast becoming a critical business strategy - and if it’s not, it should be. Many businesses hold information that poses a significant risk to both businesses and their customers if the data they hold is not safeguarded from cybersecurity threats. 

The Australian Signals Directorate’s latest Cyber Threat Report reported that:

• There were 87,000 cybercrime cases across Australia last year.
• For small businesses, the average cost of a cyber incident is now approximately $49,000.

It is therefore important that business owners think about cybersecurity and things that they can implement to reduce their risk as business owners and employers.

People: The Biggest Cyber Risk

But where does your cyber strategy start, and how do you know what the risks are? The biggest risk to Australian businesses is their people. More than 85% of all cybersecurity incidents are caused by human error. The top three incident types all rely on staff and business decisions to gain access to systems, meaning it is more important than ever to conduct regular staff training. 

Business owners and their staff should be able to identify phishing attempts, understand what to look for in malicious emails and content, and know how to maintain healthy password practices.

Technology and Updates: Don’t Let Legacy Systems Create Weaknesses

Another considerable business risk is legacy hardware and software being used in the business environment. It might seem like a small frustration, turning your computer off for updates regularly, and using the latest versions of software, replacing hardware to align with required standards, but it works to close the gaps of security vulnerabilities. 

Visibility and Monitoring: Detecting Threats Early

Realistically, you cannot defend what you cannot see. An important safeguard is event logging, reporting and alerting being setup in your business environment. 

Setting up appropriate logging and alerts to ensure that you are notified when something risky, like logging in from Australia at 10am and Japan at 11am, is happening inside your environment. Understanding when unauthorised access to systems has occurred is critical in being able to then assess the potential scope of an incident, so it can then be managed.

The Importance of a Cyber Security Policy

A Cyber Security Policy might seem like another piece of paper, but it is critical in ensuring that business owners and their staff understand what needs to be done to protect the business’s devices and information. A good cybersecurity policy should outline:

• Technology and assets that need to be protected.
• Threats to those assets.
• Rules and controls for protecting those assets and the business.
• The type of information that employees can share.
• Acceptable use of devices and online materials.
• How to handle and store sensitive information.
• How to detect and respond to cybersecurity incidents.

Business.gov.au provides useful information on preparing a Cyber Security Policy for a business: https://business.gov.au/online-and-digital/cyber-security/create-a-cyber-security-policy

The Australian Signal Directorate also provides useful guides and checklists for small business owners in cybersecurity: https://www.cyber.gov.au/business-government/small-business-cyber-security/small-business-hub

ATO Recommendations

The ATO recently published an article on Cybersecurity best practices and practical tips for business owners. For business owners to help protect their employees, the ATO recommends that business owners talk to staff about:

• Setting up their myID - this is their digital armour when accessing ATO online services through myGov. Set it up to the highest identity strength; the higher the strength, the more protection.
• Downloading the ATO app - this manages their tax and super easily while receiving real-time alerts when changes are made to their account. If something doesn’t look right, they can lock their account instantly and follow the prompts to secure it.

To help protect their business, business owners should adopt a cyber safe culture with these simple habits:

• Keep devices updated - install software updates regularly to stay protected against the latest threats.
• Use strong, unique passphrases - combine four or more random words like 'ocean lamp tiger cloud' and add special characters or numbers for extra strength (avoid quotes, personal details or predictable phrases).
• Turn on multi-factor authentication (MFA) - this adds an extra layer of security to your accounts by requiring two or more forms of ID (like passphrases and biometrics).