Who would be interested in hacking us – we’re tiny!

If this is your view of cyber security, I strongly suggest you reevaluate and re-asses your internet security. SME’s are easy targets and becoming more and more the victim of cyber-attacks. The recent WannaCry cyber-attack demonstrated just how vulnerable a business can be without adequate cyber security frameworks and working protocols.

The statistics are alarming with over 40% of cyber-attacks targeting small business and that 60% of small businesses are OUT of business within six months of a cyber-attack. A recent Australian Cyber Security Centre reported that;

“Most organisations (90%) faced some form of attempted or successful cyber security compromise during the 2015-16 financial year’ (1)

The more you come across these numbers the more realistic is the conclusion that your business will face some form of attempted cyber-attack in the next twelve months. The key word here is most – this together with the other statistics should totally debunk any thinking that just because your business is not (yet) large scale ‘they wouldn’t be interested in hacking us”.

I recently heard an IT expert interviewed and recommended to any SME to pay the ransom if infected with the WannaCry virus. I found this astounding but it made commercial sense. It presents an ethical dilemma for the SME in terms of governance but in terms of commercial agility and the time nature of the situation it presents an interesting argument – do I pay this and go against our ethical good standing (paying a ransom) or refuse and face possible business interruption, data loss and reputation risk consequences? The short answer with this is that it should not have happened and with a working cyber risk framework and most importantly a culture of presentation and awareness it is likely that this can be avoided.

We all should know by now not to open unidentified emails containing a link – this should be obvious (and if’s not you have a serious working cultural awareness issue) but what are the other key working protocols that should be implemented? Firstly, and importantly a working cultural awareness must be prevalent – without such you can have all the policies and process you like but if they are not front of mind and followed they may as well not even exist. As such staff training on the policy and process is a must. The next basic and obvious is a working policy regarding passwords. These need to be changed periodically (yes we all know the pain this causes but it IS necessary). A great tool I discovered recently is a password strength indicator at https://howsecureismypassword.net – Try it and you should quickly understand password protocols that deliver greater security. Other essentials are ensuring that your systems are up to date – applications, anti- virus and your firewall. Following these it’s a good idea to understand your access points and devices as you can then develop working protocols around restricted administration access.

The consequences of an attack are far wider than data loss. They can result in severe business interruption and brand damage. Ask yourself the question – ‘if a preferred supplier was severely compromised with your information would this change your attitude in dealing with them?’ Of course, it would! Therein lies the answer to the possible consequences of a cyber-attack. What can also result is the associated legal and regulatory costs, … and with this …comes stress, stress and more stress! What was considered a useful risk mitigant in the past is now fast becoming an essential, – cyber insurance. The basic policies tend to cover business interruption with the more advanced covering liability for customer data loss and replacement. If your business is heavily reliant on customer data, you should either have this in place or be seeking to implement such cover. The clever operators will note the positive marketing of having strong cover regarding existing customers and prospective customers. Consequently, if you have it or are thinking of taking this cover on then make it known as a key customer benefit – use it as a customer attraction piece as well as an essential risk mitigant.

Consequences and vulnerability are your key questions and you need to address these often. The working protocols are relatively straight forward and follow the same principle as when you leave the house – don’t leave the windows and doors open and unlocked and make sure everyone knows and follows these rules. Common sense, right? – The problem as it’s often said is that ‘common sense’ unfortunately is not that common. As such follow the steps outlined above and consider cyber insurance and you stand the best chance possible of avoiding a cyber disaster.

Note that cyber risk is a key topic at our Risk & Finance; – It’s Your Executive Responsibility sessions – for further info see bit.ly/2krfsem

(1) Australian Cyber Security Council 2016 , 2016 Cyber Security Survey,

<https://www.acsc.gov.au/publications/ACSC_Cyber_Security_Survey_2016.pdf>