Norton (a Symantec company) says that despite long and concerted cyber security awareness campaigns, many Australian SMBs are still ill-equipped or unwilling to assess and proactively secure their devices and data to minimise the threats against cyber attacks in an increasingly digital world.
Mark Gorrie, director, Norton Business Unit, Pacific Region, Symantec, said, “Small businesses are a vital component of the Australian economy and there are more than two million of them across the country. Collectively they employ almost half the Australian private sector workforce and account for one fifth of Australia's gross domestic product. That’s a lot of employees and critical business information to protect from cyber criminals.”
Peter Strong, chief executive, Council of Small Business Australia, said, “Many small businesses in Australia don’t have the time, the resources, or even the expertise to keep on top of the ever-evolving cyber security landscape. They’re focused on running their business and that’s what they’re best at. But that leaves them vulnerable to cyber attacks and leaves them exposed should anything happen to their critical business information.”
- downtime (40%);
- expense for re-doing lost work (26%);
- inconvenience (24%);
- privacy breach (22%);
- financial loss (16%); and
- data loss (15%).
Ransomware still the king
The Aussie mantra of “She’ll be right mate – it can’t happen to me” is no longer a defence for clever cyber criminals who realise Australians have the capacity to pay for ransomware attacks.
Ransomware prevents or limits users from accessing their system unless a ransom is paid.
- 11% were impacted by a ransomware attack.
- Larger SMBs were more likely to have suffered an attack: 16% of business with 4-20 employees had been attacked compared to 6% of micro-SMBs.
- 34% of businesses affected by a ransomware attack paid the ransom, which, on average, amounted to $4677, and 8% of those who paid did not get their files back.
- 31% do not believe they would last a week without critical business information.
- Businesses more likely to have suffered a ransomware attack included: businesses with a revenue of $1 million or more (20%), construction and trades businesses (19%), businesses with a server (14%) and business operators aged under 40 years (17%).
- 61% business operators were likely to report a ransomware attack to the police or relevant authorities, and 58% would not likely pay the ransom.
- 22% of businesses which had previously been affected by a cyber security threat were more likely to pay the ransom (22%).
“A lot of businesses don’t know what to do, don’t understand their options, and don’t have the right security in place to combat a ransomware attack – so they pay the ransom. Unfortunately, when local businesses pay up it fuels the proliferation of this style of attack, and our research showed some SMBs paying ransoms of more than $50,000,” added Gorrie.
A quarter of small businesses have no Internet security solution
About 24% of Australian SMBs do not have an Internet security solution; 39% said the main reason business operators gave for forgoing Internet security was that it was not a priority for their business.
Even those businesses with Internet security are taking risks with their critical business information. While 89% of PCs and 87% of laptops are secured, that percentage drops to 66% for tablets and 58% for mobile phones.
“Once they have compromised a business, nothing matters to cyber criminals but payment – they don’t care about disruption to business or the impact on customers. Not having basic Internet security in place will, given time, compromise the business. This data illustrates how critical it is for Australian SMBs to make online security a business priority. Whether following best practices, using security software or investing in cyber insurance, there are myriad ways for SMBs to protect their business assets should they be impacted by a cyber attack,” said Gorrie.
Back-up and recovery – very poor
About 24% of small businesses back up their business data no more than once a month and amongst micro-SMBs, the figure is even higher with 33% backing up no more than monthly.
A total of 28% have had to retrieve lost data such as emails or deleted files on at least a monthly basis. Only 24% are using a cloud provider for their back-ups.
“It is concerning that Australian small businesses are leaving themselves and their critical business information exposed and vulnerable. When 31% of businesses don’t think they can last a week without their critical business information – it makes sense to do everything you can to protect it,” said Gorrie.
What can an SMB do?
Norton has provided some basic advice:
- Don’t wait until it’s too late: Sometimes businesses overlook things until it’s too late. Businesses shouldn’t wait until they’ve been hit by a cyber attack to think about what they should have done to secure their information. Not only is downtime costly from a financial perspective, but it could mean the complete demise of a business. SMBs need to begin understanding the risks and the security gaps within their business before it’s too late.
- Invest in security and back-up: To reduce the risk of being impacted by a cyber attack, SMBs must implement comprehensive security software solutions for all their devices. Businesses should also use back-up solutions to protect important files, such as customer records and financial information, and should consider encryption to add further protection in case devices are ever lost or stolen.
- Keep up-to-date: Ensure all your company devices, operating systems, software and applications are always up to date with the latest versions and patches. It’s a common pitfall for many small businesses to delay software updates, but outdated software, operating systems, and applications often have security vulnerabilities that can be exploited, leaving many small businesses open to cyber attacks.
- Get employees involved: Employees play a critical role in helping to prevent cyber attacks and should be educated on security best practices. Since small businesses have few resources, all employees should be vigilant and be educated on how to spot phishing scams, ransomware attacks and made aware of websites they should and should not visit on their work devices. Small businesses should invest in educating employees so they become your best line of defence against cyber attacks, not your weakest link.
- Use strong passwords: Use unique passwords for all your devices and business accounts. Change your passwords every three months and never reuse your passwords. Wi-Fi networks should also be password protected to help ensure a safe working environment.
- Consider adding a cyber insurance policy. Cyber insurance policies can cover business for financial losses resulting from cyber attacks. About 14% of SMBs currently hold a cyber insurance policy, and for micro-SMBs, only 3% had a cyber insurance policy.