The news today is littered with various cyber security incidents that are growing in frequency and the resulting damage seems to be escalating as businesses struggle against the onslaughts of cyber attacks. However, the cases in the media represent only a fraction of the true scale of the problem. The fact is that most cases involving cyber attacks or security breaches never get reported. Whether this is because companies prefer to keep from publicising security breaches to avoid reputational damage, regulatory investigations or lawsuits, or because these cases are just not as juicy as those involving their larger, global counterparts. Whatever the reason, this lack of media attention and understated statistics do a disservice to the general public by downplaying the current impact of cyber threats on Australia’s SMEs, and serve to lull companies and consumers into a false sense of security.
Alarmingly, a large number of small and medium companies globally are labouring under a dangerous misconception that cyber crime only involves large companies and global players, and therefore cyber security is necessary only for banks and multinational corporations. These SMEs feel secure behind their imagined shroud of insignificance and modest business proportions even as cyber threats against small businesses soar. In addition to facing much of the same cyber risks as large corporations, SMEs are also often used as a means of access to their larger partners and suppliers. According to this year’s Internet Security Threat Report, 60 percent of all targeted attacks last year involved small and medium-sized organisations. Moreover, Ponemon Institute’s Cost of Data Breach Study revealed that in 2014 the average cost of attack for a small company with less than 100 employees was a massive US$3.5 million.
According to this year’s Internet Security Threat Report, 60 percent of all targeted attacks last year involved small and medium-sized organisations.
What some may fail to realise, is that small and medium companies are often more vulnerable to attack than larger corporations. The reasons are numerous, but most come down to lack of resources invested in security, less mature or sophisticated security processes and technologies in place, and failure to adopt basic best practices or implement essential employee awareness and training programs. And in some cases, SMEs are not only potentially under-invested in cyber security, they may not even be aware of the gravity of the threat. The unpleasant fact is that a large number of successful attacks have not yet been discovered, and some cyber-security firms estimate that as many as 71 percent of breaches go undetected.
Many executives assume that information security is an IT issue, not a distinct function with a separate governance structure that requires a separate budget that allows for appropriate resources. As a result, numerous SMEs fail to appoint a data security specialist, or that specialist is forced to wear too many hats and is simply unable to keep up with the latest malicious code and software patches.
Small and medium companies must realise that cyber security is a business issue and must be considered as part of the firm’s overall strategy. SMEs should consider:
Partnering with a trusted firm to provide relevant advice related to their security infrastructure, including technical testing such as security audits and penetration testing to determine where the firm’s weaknesses lie and improve organisational readiness
Monitor networks for unusually high traffic volume
Work with their financial institution to implement multi-factor authentication and dual controls for financial transactions
Educate employees regarding good security habits including stronger administrative passwords, policies regarding email attachments, etc.
To improve their security posture, small and medium companies might also consider outsourcing elements of their cyber security programs to employ managed security services. Using sophisticated technologies and processes to detect security incidents, this solution can provide a comprehensive data security solution in a cost-effective manner.
Read Our Latest Blogs