Small businesses across the country are experiencing a sharp uptick in sophisticated cybercrime. While cybercrime has always posed a threat to Australian businesses and their data, in recent years these threats have accelerated in magnitude.
However, if you couple education with more secure solutions such as cloud software and storage, eInvoicing over regular invoicing, and multifactor authentication, there’s a lot you can do to mitigate the risks.
We chatted with Ed Blackman, CTO of Reckon, to understand the specific threats that small businesses are facing and how you can combat them.
What spurred your interest in IT security and cybercrime?
“Two key things! Firstly Reckon’s customers expect us to maintain a high level of vigilance and action to prevent any security incidents from affecting the confidentiality, availability and reliability of their information.
Additionally, having lived through the impacts and cleanup of cyber security incidents both professionally as well as those that have affected my family, I naturally became interested in the best defence mechanisms available to protect information.”
How have you seen the nature of cybercrime change over the last few years?
“Cybercrime has grown significantly in scale and sophistication over the last few years. This is in no small part due to the work from home movement, spurred by COVID-19 lockdowns.
Those businesses who require employees to work or log in from home, of course have more digital processes in play which can increase the risk of cybercriminals targeting their digital assets. This is coupled with less security on personal laptops and home Wi-Fi networks.
However, due to the increased cyber threats around at this time, even those who didn’t work from home faced a higher threat level, due to the higher general prevalence, evolution, and sophistication of cybercrime.
What we see now are more sophisticated and targeted attacks than in the past. Criminals are getting smarter, phishing scams are more researched and realistic, and it’s no longer the poorly worded ‘Nigerian prince’ emails you need to worry about. Through social engineering and highly targeted scams, there is much more risk nowadays of getting tricked.”
How widespread is cybercrime and should small businesses be paying it more attention?
“The changing scale and nature of cybercrime means every business, large and small, is now a potential target. Just because you’re small, doesn’t mean you’re safe from being targeted.
In fact, according to Accenture’s Cost of Cybercrime Study, 43% of cyber-attacks are aimed at small businesses, but only 14% are prepared to defend themselves.
From basic phishing scams to identity access theft, the threat is more than most decision-makers realise.
Even before COVID-19 turned the traditional office model on its head, one estimate of the cost of global cybercrime predicted it would reach US$10.5 trillion annually by 2025.
Coupled with the fact that cyberattacks are rising 15% year on year, it’s clear that every small business owner should be taking cybersecurity extremely seriously.”
What are some of the most prominent threats for businesses to be aware of?
“One of the primary threats you’ll encounter are phishing scams. A phishing scam is a dodgy email sent from a nefarious actor. They may have malware links in the email, fraudulent invoices to be paid, or promise to grant the fraudster remote access to your computer. Phishing scams are also increasingly crafted as ‘smishing’ attacks that use SMS instead of email.
A quick way to check a suspect email is to hover your mouse over both the sender’s email to reveal the true email address, and the underlying domain behind the link they wish you to click on – usually a temporary address different from the text displayed. Never click on an email you suspect is illegitimate.
You should watch out for ‘spear phishing attacks’. These are much more targeted and sophisticated than regular phishing attacks. They involve someone researching your business and using real names, common suppliers, or business details to trick you into thinking it’s legitimate.
You also need to be on the lookout for malware and ransomware. Malware is malicious software, such as viruses, worms or spyware. Malware can defraud, steal data, or commit identity theft.
To protect against malware, install high-quality virus protection, update your software and operating system regularly and always backup important business data.
Furthermore, it’s best to turn on automatic updates for all your systems and software and enable automatic backups.”
What are the negative consequences of not having proper cybercrime protections?
“It’s hard to overstate how seriously an attack can devastate a small business. The ramifications of a data breach can be catastrophic…
There are a variety of scenarios that could catch you out if you don’t exercise the utmost cybersecurity vigilance. Perhaps you’ll pay an invoice that wasn’t real, leaving you with cashflow issues, or you might accidentally click a link that could leave you defrauded. You may be infected with malware or ransomware, which will compromise all your business and customer data.
If you experience catastrophic data loss, or breach public trust when sensitive customer data is stolen, this could signal the end of your business.”
Are there any ‘under-the-radar’ cyber threats out there that many people are not aware of?
“One of the biggest under-the-radar scams is physical security threats. These involve criminals physically accessing your workplace or home to steal data or devices. They might even plant keyloggers and other data-stealing devices on your equipment. Sometimes these are incidental to property theft, other times they know exactly what they’re after.
The solution starts with being proactive. Ensure you have adequate physical security around all your weak points, including your home, as well as good policies around who is allowed to access the workplace.
If someone does steal a business laptop or mobile phone, having biometric security, encryption, multifactor authentication, strong passwords, and cloud access are a must. Performing regular backups and enabling ‘find my device’ or remote access is also necessary for preventing data loss and criminal admittance.”
What advice would you give to small businesses looking to bolster their cyber security?
“Education is undoubtedly your primary tool of defense. I recommend that every small business undergoes cybersecurity training. It’s easy to find quick and high-quality courses online and they’re worth every penny or minute you spend.
Once you’re aware of the threats you may face, you can take diligent steps to recognise them and mitigate their capacity for harm. As spearphishing and social engineering attacks have become much smarter, being trained to quickly detect newer attacking styles is a must.
Consider this – if you do fall prey to cyberattacks, and your business and customer data is compromised or stolen – it could spell the end of your business.
On top of awareness and education in identifying scams, making sure you have multi-factor authentication across your business devices and software is a great place to start. Double-checking your logins with an authenticator or biometric tool drastically reduces your risk of being a victim.
You also need to consistently monitor who has access to important business software, such as your CRM, databases, online accounts, payment systems, or WordPress, then look to embrace the highest security versions of the software you use.
For example, choosing eInvoicing over regular invoicing will reduce the risk of fraud significantly. eInvoicing uses the highly secure Peppol network, which avoids the need to email sensitive PDFs and financial information.”