Cyber security tips for small business

When cybercrime hits the headlines, it's usually because a large, high-profile business has suffered a breach, exposing sensitive customer data.

But that doesn't mean cybercrime is a big-business problem. In fact, small and medium-sized businesses might be even more at risk.

A survey of small and medium-sized business owners and IT managers, conducted by the Australian Cyber Security Centre (ACSC) found that 62% have experienced a cyber security incident of some kind.

Almost half rated their cyber security understanding as 'average' or 'below average', and 48% only spend $500 or less on cyber security each year.

As our lives shift increasingly online, cyber attacks are becoming more prevalent.

The vast majority of small-to-medium enterprises (SMEs) have at least some element of their business online. This means there are more opportunities for hackers and cyber criminals to execute an attack - or take advantage of an organisation in a vulnerable position.

Small businesses can appear to be easy targets. That's why it's important to take cyber security seriously.

What could a cyber attack mean for small businesses?

According to cyber.gov.au, in the 2021-22 financial year, the average cost of each cyber crime event reported for small businesses was $39,000.

Losses can result from direct theft, disruption to business, or costs to get systems up and running.

However, a data breach can also significantly damage your business's reputation, especially if customers' sensitive data is compromised. This cost can be harder to calculate.

Customer trust is incredibly important for SMEs. If it's broken, you might lose out on future partnerships, or see customers moving elsewhere.

Understanding cyber security threats

Cyber threats are constantly evolving, so it's important to stay informed and educated on an ongoing basis.

Attacks can delete or encrypt files, with criminals demanding a ransom to release them. Or, Distributed-Denial-of-Service (DDoD) attacks can flood servers with requests, making legitimate operations impossible.

For many businesses, however, the biggest risk is compromising customer data, especially sensitive information such as credit card details or ID documents.

If this data is leaked, the reputational damage can be catastrophic.

So, cyber security isn't only about protecting against malicious actors. It's also about properly storing data - preventing it from being accidentally lost or exposed.

A cyber attack often results in a data breach. But, a data breach isn't always caused by an attack - sometimes it's due to human error.

If an employee leaves a document including sensitive client information in a public place, then that data has been compromised, without any involvement from a malicious actor.

With that said, there are many ways criminals try to gain access to businesses' networks. Here are some of the most common:

Phishing

Phishing emails are fake messages designed to trick recipients into sharing private information - whether personal, commercial or financial.

An email could appear to be from a systems administrator, asking an employee to click a link and 'log in', giving cybercriminals their details, and access to your systems. This opens the door to spyware, data theft, account takeovers and malware.

Phishing messages can be incredibly sophisticated. In fact, in 2021, a massive 92% of Australian organisations fell victim to successful phishing attacks.

Business email compromise

In business email compromise (BEC) attacks, criminals impersonate real contacts, often using email addresses that are almost identical.

These emails sometimes ask employees to share confidential information. Often, however, they request to change payment information, meaning invoices are paid into the fraudster's account, rather than to the intended recipient.

According to the ACCC's Targeting Scams Report, small and micro businesses lost $13.7 million to email scams in 2022. The majority was lost through BEC scams.

Malware

Malware, or malicious software, is a broad term for software designed to cause damage - including ransomware, viruses, spying software and more.

Web shell malware gives attackers remote access to servers, effectively giving them full control of your systems.

Devices can be infected with malware through clicking on links to websites, opening attachments, or installing applications.

Ransomware

Ransomware is a specific form of malware that typically encrypts and locks files. Criminals then demand payment (often in cryptocurrency) to unlock them.

Sometimes, criminals will demand a ransom to stop them from leaking customer data or intellectual property online.

According to a report in the Australian Financial Review, 64% of local businesses have experienced some form of disruption from ransomware attacks.

Virus

The term 'virus' is often used interchangeably with malware. However, a virus is another specific type of malware that self-replicates, and distributes itself throughout systems.

Viruses can spread through malicious websites, emails, and storage devices like flash drives, and can also delete files, corrupt applications or crash systems entirely.

Why is cyber security so important for small businesses?

Even sophisticated hackers like an easy target, and in SMEs, that's what they see. Many SMEs hold similar customer data to big businesses, but don't have the in-house expertise or resources to properly protect it.

Smaller businesses are typically more stretched on time and resources, meaning they spend less money on cyber solutions, and less time on training.

Proportionally, the cost of a cyber attack is more significant for smaller businesses than for larger ones.

They're less likely to have a response plan in place, so may not act fast enough to mitigate the damage. Fewer dedicated resources means the recovery will probably be slower, too.

Ultimately, for SMEs, the losses of data, money and trust are all more significant - perhaps catastrophic.

Legal obligations

Some businesses may have legal and regulatory obligations around cyber security.

Under the Notifiable Data Breaches scheme, any business covered by the Privacy Act 1988 must notify affected customers, and the government, if they're subject to a breach 'likely to result in serious harm'.

This applies to any business with an annual turnover of $3 million or more.

Regardless of turnover, it also applies to:

• Healthcare providers (including gyms, pharmacists and child care centres)
• Businesses that sell or purchase personal information;
• Credit reporting bodies
• Government service providers
• Businesses accredited under the Consumer Data Right System
• Businesses related to covered businesses
• Businesses that operate tenancy databases (or are otherwise covered by Privacy Regulation 2013)

Businesses can also choose to opt-in to the Privacy Act - something that can provide benefits in terms of consumer confidence.

Steps to improve small business cyber security

The more cyber security measures you have in place, the less appealing your business will be to attackers - and the more forgiving your customers and partners will be in the case of an incident.

While some measures will require some investment, others are relatively easy and inexpensive.

Here are seven steps to boosting cyber resilience in your small business.

1. Make an assessment: You can't improve your cyber security if you don't know where the problems are. Take some time to conduct an assessment and create a strategy, and consider writing a cyber security policy, to keep yourself (and your team) accountable
2. Educate employees: Some 95% of cyber incidents are caused by human error - whether through phishing or accidentally exposing data. It's crucial that team members are educated on best security practices, the marks of a suspicious email, password strength, and data protection. Encourage staff to question anything that looks suspicious
3. Implement access controls: The fewer people have access to sensitive data, the lesser the risk. Consider implementing controls, so that not every team member can access all systems and networks. Multi-factor authentication adds another layer of defence, requiring people to prove their identity in another way (entering a code sent to their mobile phone, for example) before they can access their account
4. Install antivirus: Antivirus software can identify and stop malware. Many devices have antivirus built in, however purchasing additional software can add protection and specialist features. Similarly, most operating systems offer a firewall - a defensive barrier between your internal network and the public internet, that filters incoming and outgoing traffic. Make sure this is enabled, and consider restricting access to these settings so employees (or malicious actors posing as employees) can’t disable it
5. Regularly update software: This goes for antivirus software and any other software, and could be as easy as enabling 'auto-updates'. When software developers are made aware of a vulnerability, they release a 'patch' to correct it. So installing any updates means you’ll be as protected as possible
6. Backup data regularly: Keeping up-to-date backups of all your company's data will allow for a faster and smoother recovery in the event of an incident. Disconnect your backups so they can't be infected by any malware in your main network, and consider keeping an online backup, too. Put a recovery plan in place to help get your business up and running again. Do not plug your backups into an infected device or network, or you'll risk them becoming corrupted, encrypted or deleted, too
7. Have a plan: No amount of protection can completely remove the threat of a cyber attack, but if you know the signs and best practices around how to respond, you will be able to mitigate the damage, stop the attack, and keep customers well informed. Your team should also know the signs of an incident, and what to do if they spot them

How to maximise cyber security, without overpaying

Implementing best practices around cyber security - such as strong passwords and backing up data - doesn't have to be costly. However, things like specialist antivirus software, consultancies and even investing in cyber insurance can add up fast.

The majority of SMEs spend less than $1,000 on cyber security each year - 48% spend less than $500, and 17% spend between $500 and $999.

So, it's best to do as much as you can on a shoestring, then consider what else is a priority for you.

The Federal Budget 2023-24 included a $23.4 million investment, over three years, into the Cyber Wardens program - designed to help small businesses train up team members in cyber security.

Elsewhere, Cyber.gov.au offers support and advice for small businesses, including a cyber security guide and checklist.

How can Brother help increase your cyber security efforts?

It's important to ensure all office tools connected to your network are protected - including printers and all-in-one devices.

Brother's Managed Print Services program ensures all printers are fully up-to-date, and connected into the company's ecosystem, while preventing unauthorised access.

MPS programs can also allow for ID readers on printers, ensuring print jobs end up in the right hands.

Selected Brother scanners, such as the ADS-4900W, allow documents to be instantly converted into pdf using OCR technology, and uploaded to your secure systems, meaning fewer printouts - this means fewer paper copies of documents.

Users can also pair their solutions with the Brother iPrint&Scan app, which allows them to add password protection to scanned documents with ease.

The last word on cyber security for small businesses

When considering cyber security for your small or medium-sized business, there's a lot to consider and complexities to unpack.

But if you can take the time to identify your weak points, educate your team and implement all the 'easy' fixes you can, then you can go a long way towards protecting your business, meaning any investment you make will work harder.

Want to chat to an expert about your print, scan and copy workflows? Contact Brother and explore the various ways we can help streamline your printing and documentation processes today.