SMEs and NFPs are especially vulnerable to cybercrime, so it’s vital for executives and boards to build a planned, fit-for-purpose response to a crisis..
While the threat of cybercrime is ever-present for Australian organisations, smaller not-for-profits (NFPs) and small and medium enterprises (SMEs) face particular challenges when it comes to boosting cybersecurity. These challenges are both practical and attitudinal, say experts.
A new report by the Cyber Security Cooperative Research Centre (CSCRC), Small but stronger: Lifting SME cyber security in South Australia, found that ad hoc cyber budgets and poor incident preparedness can leave SMEs open to cyberattacks. Small but Stronger, the Australian-first pilot project, aimed to boost the cyber-resilience of six South Australian SMEs, and to better understand the challenges SMEs face. It identified five common weaknesses across SMEs, and engagement strategies that worked. It is also seen as a first step towards in-depth research into practical measures to support SMEs, which are often bombarded with complex advice and information that provides little practical support.
SMEs account for approximately 90 per cent of the Australian economy, so it is vital that they are cyber-secure, says CSCRC CEO Rachael Falk. “The process of getting cybersecurity right can be confusing and expensive, but it is becoming ever more important as Australia transforms into a digital economy.”
The biggest practical challenges SMEs face when it comes to cybersecurity are resource constraints in terms of the time, skills and budget that can be allocated to boosting cyber resilience. “With competing priorities and limited resources when operating a SME, cybersecurity is often treated as an afterthought to core business — rather than a business enabler of digital trust and client relationships,” says Michael Woods, CEO/founder of Australian cybersecurity company Tannhauser. “Typically, businesses this size prioritise sales and revenue, and only appreciate the implications of poor security after they have suffered an incident.”
Not if, but when
In addition, some SME leadership teams also have a mistaken belief there is a lower likelihood of an SME being targeted. “Most SMEs simply don’t have enough awareness of cybercrime and the potential impact it can have on them,” says Aaron Bugal, global solutions engineer APJ at security hardware/ software company Sophos. “There’s an ‘it won’t happen to me’ attitude in a lot of smaller businesses, where many believe they’re too small to be attacked. Because of this, we see a lot of businesses with inadequate protection and processes in place.”
There is also often a lack of budget to cover costs incurred by implementing cybersecurity measures, with some regarding the expense of hiring a managed service provider (MSP) or working directly with a cybersecurity vendor as unnecessary. Bugal points out that the average global recovery cost of ransomware in 2021 was US$1.85m, according to Sophos’ The State of Ransomware 2021 report.
“Unfortunately, we know that this hesitation is exactly what makes SMEs such easy targets,” says Bugal. “Most cybercriminals would rather go after 10 small businesses with easily circumvented cybersecurity than try to take down a large corporation for a big score.”
Nick Lennon, country manager of threat risk protection company Mimecast Australia agrees, saying SMEs are attractive to hackers by virtue of often being part of a much bigger supply chain.
“Today’s level of canvassing by hackers involves looking at the relationships within the organisation via platforms like LinkedIn, as well as knowing if a small organisation is trading with a much larger one,” explains Lennon. “They use the small organisation as a stepping stone for access to a large government agency or organisation.”
Third party risk
Another vulnerability, adds Lennon, is that cybercriminals see MSPs as the gateway to thousands of other organisations. MSPs have inside access to many of their customers’ networks and many SMEs rely on them because they lack their own in-house technology capabilities. An MSP offers cloud versions of popular software and often also boosts security.
For example, in July 2021, US-based software provider Kaseya was attacked by ransomware group REvil. The attack affected 1500 businesses on all five continents — from supermarkets in Sweden to kindergartens in New Zealand. As Kaseya’s software serves many MSPs, the attacks multiplied before the company could warn the organisations with whom it has relationships. Ransoms of up to US$5m were demanded from the subsequent victims.
Woods also cautions against depending on cybersecurity advice from a MSP, as they may lack specific cybersecurity expertise. “An SME may lean on the MSP for technology advice, but the advice they get could be a generic response.”
Lennon believes that it is even more important for boards at SMEs to champion the responsibility of every employee to practice good cybersecurity habits, because their staff will often be on the frontline of risk. Confining the responsibility for maintaining cybersecurity to a small IT department can prove a costly mistake.
“Cybersecurity should never be seen as an IT issue — it is a whole-of-business issue,” says Lennon. “The fact we turn up to work with mobile phones, laptops and iPads, and engage with customer data every day, means the executive team needs to consider frequent, consistent and engaging cyber training for all staff, tailored to their responsibilities.”
Strategies for response
If awareness of the threat is the first step, what comes next in terms of taking action?
From an operational perspective, one starting point is to become familiar with the Australian Cyber Security Centre’s maturity model known as the “Essential Eight”. First published in 2017, the guidelines were designed to protect Microsoft Windows-based internet-connected networks and gained popularity with regulators and auditors due to the straightforward manner of the advice.
The ACSC notes that while the mitigation model may be applied to cloud services and enterprise mobility or other operating systems, it was not primarily designed for such purposes and to mitigate cyber threats to these environments, organisations should consider alternative guidance provided by the ACSC.
The Essential Eight can be helpful for boards determining where to prioritise limited investments. Fred Thiele, chief information security officer at cybersecurity management company Interactive, says getting across the eight points can require a significant, albeit worthwhile, investment of time. “Achieving even Level 1 of maturity across the Essential Eight is a big accomplishment and can take years to achieve,” says Thiele. “Additionally, it may not be appropriate to be at the highest level of maturity for each Essential Eight control.”
While directors may face pressure from auditors and regulators to continually increase their maturity levels, Thiele believes a better way forward is to set a target maturity using a risk-based approach that achieves a considered balance between user experience and security.
The right kind of cover
The threat of cybercrime is constantly evolving, and the increasing prevalence of ransomware attacks has caused cyber insurance premiums in Australia to soar. According to figures from the Australian Mid-Year Insurance Market Update 2021 report from insurance broker and risk advisory Marsh, premiums increased by up to 80 per cent in the second quarter of 2021 compared to the same period in 2020. Claims numbers were up 50 per cent.
“While the cyber insurance industry is still in early stages of maturity, insurers’ payouts across the globe in 2021 were far higher than anticipated due to ransomware attacks and policies they wrote for companies that had unaddressed vulnerabilities,” says Bugal.
He acknowledges that cyber insurance is a huge challenge for directors, partly because massive changes are occurring within the industry — and cybercrime itself — that can be very difficult to keep up with. Sophos’ The Future of Cybersecurity in Asia Pacific and Japan 2022 report revealed only 52 per cent of Australian companies surveyed believe their board truly understands cyber threats.
As a result of more frequent and sophisticated attacks, many insurers are responding by reducing coverage while simultaneously increasing premium prices. Kelly Butler, managing director and cyber practice leader at global professional services firm Marsh & McLennan Companies, believes some level of premium increases is necessary for the market to be sustainable. However, she adds some insurers are going further than others on this front — while also introducing wide-ranging exclusions. An increasingly common exclusion is when a company has failed to implement basic multi-factor authentication across the organisation.
As Thiele notes, having strong IT defences in place will reduce cyber insurance costs, as the quality of protection heavily impacts premiums. “Good cybersecurity can also help keep premiums down in the long term,” he says. “By minimising your risk of being impacted by a cyber attack, you reduce the likelihood you’ll need to call on your policy — and keep your policy renewal costs down. If you experience a cyber attack and your insurer believes you left the door open through weak practices, they may have grounds not to pay out.”
Robyn Adcock, cyber/technology practice leader at insurer Gallagher, says directors must understand their technical controls, which is challenging for anyone who doesn’t operate in this space. “The ground keeps shifting and as threats change those controls may need to be adjusted to protect the business’ data,” she says.
Insurers also need to be reassured of this direct involvement. “Demonstrate your competency to protect, contain and recover from a cyber attack through embedded processes, policies and plans that are measured and tested on a regular basis,” says Adcock. “Ensure you have a culture of cybersecurity throughout the organisation.”
Until a couple of years ago, it was common for insurers to add cyber insurance to a professional indemnity policy or management liability policy. “This was problematic, because clients thought they had some level of cover, but it was highly limited,” says Butler, underscoring the importance of working with a specialised cyber insurance broker who can explain how a particular policy will work with your organisation. “There’s no off-the-shelf product when it comes to cyber insurance, and this does lead to a little bit of frustration and maybe confusion within companies,” she says, adding a tailored policy is vital. “What are your key risks and pain points? Not everything will be insurable. A cyber policy is not a catch-all policy, so you need to ensure it will operate as you need it to in a crisis.”
Financial or professional services organisations would generally be most concerned about a data breach, whereas for a small manufacturer, the priority would be business interruption cover. There may also be a waiting period of 12–24 hours before a claim can be made. “Being down for 24 hours without access to cover would be catastrophic for some SMEs,” says Butler.
Having seen the aftermath of cybercrime on both the insured and uninsured, she notes an appropriate insurance policy will absorb some of the financial shock, as well as providing immediate access to support. Once a suspected breach has occurred, the insurer can provide PR teams to manage reputational damage or media scrutiny; lawyers to address privacy or sanctions issues; IT forensics to triage and identify the issue; and negotiators to handle an attempt at extortion.
“I’ve seen top ASX companies down to small SMEs affected by cybercrime,” she says. “Insurance provides a safeguard against the catastrophic loss and cost of a cyber event. But what’s important is that the level and scope of cover be evaluated to ensure the policy meets the needs of the company.”
Cybersecurity tips for directors
Damien Manuel GAICD, chair of the Australian Information Security Association Compliance doesn’t mean you won’t have an incident — it may help to reduce the impact and helps you prepare to deal with an incident.
Ensure your board has open and frank discussions about cybersecurity risks during meetings. Find out how data and information is being protected in the organisation.
Ask for a report that identifies business- critical systems, data and information within your organisation. How it is protected? Who is accessing it — and how? How long can the business survive if the systems or data are offline or deleted?
What are the repercussions if your critical data and information is publicly released? What legal, regulatory and commercial consequences would occur if you had an incident?
Share with your peers — they may have solved a problem similar to your own, but in a different and innovative way you hadn’t considered. This may help save you time and money. Learn from other people’s mistakes. Cybersecurity challenges can feel confronting and confusing, but if it was simple, we would have collectively solved this problem 30 years ago.
Already a member?
Login to view this content