• David Fairman: Chief Security Officer and Chief Technology Officer, Netskope (APAC)
• Kelly Tot: General Manager – Information Technology, HIA

Q: What are the biggest weaknesses smaller businesses face in terms of cybersecurity?

David: The main pain point is finding or allocating time and money to cybersecurity. As a result, there is often no coordinated approach or focus on taking basic steps to improve their posture. 
Appointing a person in a company to own cybersecurity is important. They don’t need to be technical or an IT expert but someone who can ensure good practices and measures, and then ensure improvements are being made.

Lack of cyber awareness can lead to easy mistakes. Take invoice fraud and scams, for example. They are one of the most prevalent cybercrimes targeting small businesses. They work really well because there’s often little caution being taken in the payment process. To prevent this, only process payments when they are validated with the party you are paying. This includes validating any change of payment details, such as updating bank account details for the payment, and doing it verbally by calling a verified contact person and phone number.

Kelly: I always say when it comes down to cybersecurity, you can have all the technology and processes, but your biggest risk is your people.

Firstly, cybersecurity isn’t about a business being attacked, but more often an individual on the team. Educate your employees and make sure that everyone understands what to look out for and what to do if they are suspicious something isn’t right. Check the spelling on emails, logos, wording – any inconsistencies.

Then discourage your workers to feel embarrassed if something occurs. Once someone realises they have clicked on a suspicious link, if they contemplate what to do for too long, they continue to make your systems vulnerable. Make your team feel empowered and aware that it is common and don’t feel they need to hide it if they feel they have been hacked. The same goes for the business owner themselves; it is definitely a case of not if it will happen, but when.

Q: What advice do you have for owners to protect themselves?

David: Your priority should be to protect the data you handle as this is the most precious digital asset you own. Understand and take note of where your most important data is and who has access to it, including third parties. You can’t protect what you don’t know about. Once you have this visibility, you should review every stakeholder’s access rights, validate if they still need this access, and correct if necessary. This review should happen regularly to minimise the chances of data breaches.

There are also a number of cyber-hygiene steps owners should regularly take. Apply security patches as soon as they are published for the software you use, including operating systems on laptops and PCs.

Enabling multi-factor authentication on all systems, such as a password and a temporary code sent on a mobile device, is another safety step. Plus, have an incident response plan that outlines the roles, responsibilities and guidelines for different types of cyber incidents should they arise. Back up your data to ensure it's not lost for good if it's stolen, encrypted or deleted.

Kelly: As David mentioned, don’t overlook your antivirus software. Make sure it’s current and you've done the right updates, which are often automatic. Check the expiry dates like you check expiry dates on your food in the fridge. People tend to do an iPhone update within a second but don’t do the same with their software.

Also look at minimising your current data on your live active systems and where you keep your older data. Look at removing old data from your live systems and store it elsewhere.

Continue to educate your team and encourage behavioural change to ensure your business is protected. This includes locking screens, shutting down desktops or laptops overnight. The more hours in the day your systems are made available to hackers, the more opportunities you provide them.

Q: What should a business owner do if they are compromised?

David: Seek help as soon as possible. Even if you are threatened by ransomware, you shouldn’t pay the ransom because there is no guarantee the attackers will keep their promise, and in some cases, they actually keep the stolen data and continue to blackmail their target.

There are industry and governmental bodies that can help, including the Australian Cyber Security Centre (ACSC), which has launched a dedicated hotline for businesses that experience a cyber incident. In addition, a company will probably need to bring in external support, often private cybersecurity or managed security services companies that will build a response team to mitigate the attack or start the recovery.

Once those technical aspects are being taken care of, other steps include quickly designing a communications plan to inform all stakeholders that may be impacted by the incident as soon as possible, as well as assessing the potential ramifications of this incident – financial, legal and reputational. Businesses should build a plan to outline how it will recover from this. Lastly, consider how to reinforce your cybersecurity to prevent similar incidents from happening again in the future.

Kelly: Approach ACSC, and also reach out to a local professional if you are unprotected and ask to have your laptop cleaned if you don’t feel confident you can do it yourself.

A cybersecurity breach or threat is a lesson in your business processes and how informed your team is. While concerning if it happens, it can provide an opportunity to better safeguard yourself in the future. However, it is best practice for businesses to look at all possible safeguards before a breach occurs.

What is a cyber threat?

According to Netskope’s David Fairman, it is important to understand that cyber criminals know that information is power and are after one thing: valuable information and data to blackmail organisations for financial gains, and in some cases, for espionage.

There are two main ways cyber criminals achieve this: find vulnerabilities in an organisation’s systems and/or devices to penetrate them; or deceive the people who work within those organisations to steal their credentials and get them to send confidential data and information. The latter is often achieved with malware, phishing and general social engineering tactics.

Unfortunately, smaller businesses are prime targets because cyber criminals know that they often don’t have strong cybersecurity. Any business should consider that as soon as they are handling data, and have a digital footprint, they are at risk.

The Australian Cyber Security Centre offers some great resources including a framework called the Essential Eight that provides practical cybersecurity actions.

Insure your business from cyber crime

Cyber insurance for the construction industry has been specifically designed to protect businesses from a variety of risks associated with doing business online. Every business that has an online presence or that uses technology as part of its day-to-day operations is potentially vulnerable to a cyberattack. These attacks can compromise personal or confidential data, cause financial loss and liability to third parties, and damage your business's reputation. Some of the key highlights of cyber insurance are:

• Protect your business against financial losses resulting from a cyber incident 
• Guard against common cyber threats that aren’t covered by traditional insurance policies 
• Rely on a dedicated incident response team to help you tackle any situation head-on. 

To find out more about cyber insurance, visit HIA Insurance or call 1800 762 878 to speak with a specialist.

Published on 11 November 2022