Cyber attacks have surged over the past year and it’s not just government institutions and big companies that have been targeted. Small- and medium-sized businesses are equally at risk, but many aren’t prepared. 

Coronavirus has created a lively threat landscape, says Keith Howard, Group Chief Information Security Officer at the Commonwealth Bank. Many more people are working from home, without the typical security controls of an office environment, and there’s also been a huge increase in small-to-medium enterprises moving online, providing greater opportunity for cyber criminals to strike.

What’s the threat?

Ransomware, cyber extortion and business email compromise are the most prevalent current threats.

  1. Ransomware is malicious software that’s typically delivered via a link or attachment and can encrypt your data. A ransom is demanded for the data to be unencrypted. Howard says there’s been a tremendous increase in ransomware and the aggressive tactics used by attackers over the past year and it has affected companies large and small.

  2. Cyber extortion occurs when attackers claim they have your data (personal or business) and threaten to release it publicly unless you pay them.

  3. Business email compromise occurs when criminals impersonate your email address or gain unauthorised access to a business’ email account. Often, weak passwords are to blame as criminals have automated ways of guessing passwords that lack complexity or are less than eight characters. Once a criminal gets access to a business email account, they can send legitimate-looking emails that appear to come from a trusted business contact.  

The problem is that research from the Australian Cyber Security Centre shows us while smaller businesses know they should do something about cyber security, they either don’t recognise how business critical it is, they think they’re not really a target or they put it in the too-hard basket.

Every business in Australia needs a cyber security policy. It’s fundamental to running your organisation safely and should be considered a necessary ongoing investment – just as legal, business continuity or financial advice is.

It also doesn’t need to sit in the too-hard basket – cyber security is often more about people than technology. Ninety per cent of cyber attacks stem from people’s actions, or inaction.1 That means your team is perhaps your weakest link, but with ongoing education and knowledge they can become your first point of protection.

Denis Moriarty is Founder and Group Managing Director of Our Community, an information network that connects not-for-profits (NFPs) with resources. He says NFPs need to be particularly aware of their cyber security responsibilities due to the sensitive data many of them hold.

He says cyber security needs to be part of an organisation’s DNA. It should be discussed at board, and management, level and implemented by everyone in the business, not just the IT department.

So what do you need to do now?

Start with the basics to protect your business using this cyber security checklist:

  • Teach your team about cyber security. How do they detect a phishing email? What do they do if they accidentally click on it?
  • Determine where all your critical data is held and back it up – preferably in a separate location;
  • Keep your end-point detection and response and anti-virus software up to date – on all your hardware, including work phones;
  • Maintain good hygiene on your social profiles and consider multi-factor authentication for social accounts and internet-based email accounts such as Gmail and Outlook;
  • Strong passwords are fundamentally important, and consider upgrading to passphrases – increased length makes them harder to crack in a brute force attack;
  • Prepare for being compromised. What’s your recovery plan?
  • Have robust payment processes with strict separation of duties, checks and balances when unexpected or large payment requests come through to your teams.

And one final piece of advice from Professor Lesley Seebeck, CEO of the Cyber Institute at the Australian National University who recently joined CommBank for a discussion about cyber security for small businesses. She says don’t blame the victim – anyone can fall victim to a cyber attack. Businesses need to work together to build resiliency at scale by sharing information and driving accountability. Sharing our experiences is important as it enables others to learn.

There are many resources on the CommBank website – from learning modules to quick guides. Here are some links to help get you started.

To learn more from leading experts about what’s important to business and the economy visit CommBank Foresight™ – insights for future-facing businesses.

Things you should know

Panel discussion about cybersecurity and small business

Important information: This article is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as financial product advice. You should consider seeking independent financial advice before making any decision based on this information. The information in this article and any opinions, conclusions or recommendations are reasonably held or made, based on the information available at the time of its publication but no representation or warranty, either expressed or implied, is made or provided as to the accuracy, reliability or completeness of any statement made in this article . Commonwealth Bank of Australia ABN 48 123 123 124. AFSL and Australian Credit Licence 234945.

The links within this article will bring you to a third party website, owned and operated by an independent party over which CBA has no control ("3rd Party Website"). Any link you make to or from the 3rd Party Website will be at your own risk. Any use of the 3rd Party Website will be subject to and any information you provide will be governed by the terms of the 3rd Party Website, including those relating to confidentiality, data privacy and security.

Unless otherwise expressly agreed in writing, CBA and its affiliates (collectively "CBA") are not in any way associated with the owner or operator of the 3rd Party Website or responsible or liable for the goods and services offered by them or for anything in connection with such 3rd Party Website. CBA does not endorse or approve and makes no warranties, representations or undertakings relating to the content of the 3rd Party Website.

CBA disclaims liability for any loss, damage and any other consequence resulting directly or indirectly from or relating to your access to the 3rd Party Website or any information that you may provide or any transaction conducted on or via the 3rd Party Website or the failure of any information, goods or services posted or offered at the 3rd Party Website or any error, omission or misrepresentation on the 3rd Party Website or any computer virus arising from or system failure associated with the 3rd Party Website.