4 Common Mistakes SMEs Make That Invite Cyber Attackers
Two-thirds of Australian small-to-medium-sized enterprises (SME) go out of business after a cyber attack or data breach. That’s according to the latest figures from the Australian Small Business and Family Enterprise Ombudsman.
Often, small business owners think they’re too small to be targeted, but they face the same threats as larger organisations. Six out of 10 targeted attacks zero in on SMEs, says the ombudsman.
Here are four reasons hacker numbers are escalating for this vulnerable cohort of businesses.
Mistake 1: Assuming your employees know how to respond to a cyber attack
Once-off staff training about cyber security is not enough, as these issues continually evolve. According to the Forgetting Curve Theory, it’s normal to forget information that we don’t revise. Spaced repetition to revisit the learning helps it stick, even better if it involves meaningful material.
Aim to pace your employees through refresher training at least once every four to six months. Regular training also helps you identify their knowledge and skills gaps, so be sure to test them so you can continuously improve the content and delivery.
Check this free online learning hub from the Australian Cyber Security Centre (ASCS). The centre also has a useful Small Business Cyber Security Guide. It’s worth the investment of time because human error leads to 95% of cyber security breaches, says the World Economic Forum.
Mistake 2: Depending on the IT team
SMEs tend to lean on their IT team – if they have one – to deal with cyber security. However, the ACSC says SMEs face significant barriers to implementing good cyber security practices, including:
- Lacking dedicated staff with an IT security focus
- Not understanding the complexity of cyber security
- Having challenges in knowing about and how to roll out security measures
- Underestimating cyber incident risk and consequences
- Inadequate planning to respond to cyber incidents.
For example, a small NSW business that has just a two-person IT team had struggled for over a year to get all staff set up multi-factor authentication for logging onto computers. Thanks to the business owner finally directing staff to do so, everyone has signed up. So, check in with your IT team if they need extra support for cyber security.
Ensure your IT and operations teams work seamlessly together to identify any anomalies on your network. What might begin as a glitch could be overlooked in your IT ticketing system. (Hackers lurk in your system on average for 11 days before detection). Having a dedicated response team across your organisation makes cyber security everyone’s business.
Mistake 3: Not updating software regularly
Even if you have robust firewall and high-end security software for your servers and website, hackers may still enter through novel ways. Aim to keep a step ahead by regularly updating your software.
Enabling automatic updates is a useful strategy. However, this may mean disrupting your operations at times, so another way is to schedule updates to happen after hours. Check your software if it allows you to turn on or off update reminders. Impress upon your staff on how to install updates on their devices and remind them.
Consider storing your key files, such as income statements and budget reports, off your server. And be sure to back up your data if it’s connected to a server or not.
Mistake 4: Not having cyber insurance
The average cyber attack costs an SME $275,000. Does your business have the financial resources to recover from such an attack? The hefty costs include paying experts to advise you on responding to phishing incidents, ransomware, or other cyber threats.
There may also be fines and legal costs to pay for third-date breaches. You will also need a crisis management advisor to help rebuild your business reputation.
A worthwhile safeguard to help protect your business is cyber liability insurance. It gives some peace of mind to you as well as to your suppliers and customers. Your coverage may generally include cover for expenses and restoration costs relating to the following:
- Data breaches including theft or loss of client information
- Network security breaches
- Business interruption costs
- Forensic investigation into the cause or scope of a breach
- Data recovery costs
- Cyber extortion
- Crisis management costs (to protect or mitigate damage to your businesses reputation resulting from a cyber event)
- Loss and legal costs, including fines and penalties resulting from a third party claim for data or network security breach against your company
Reach out to us to bolster your risk management approach to cyber security, including with appropriate cover.