Protect your small business from cyber criminals

Speaker 1:
Welcome to CPA Australia's With Interest podcast, bringing you this week's need to know information for businesses and accounting professionals.

Jennifer Duke:
Hello and welcome to CPA Australia's with interest podcast. I'm Jennifer Duke, external affairs lead at CPA Australia. It's Monday the 17th of October. You're joining us now smack bang in the middle of cybersecurity awareness month, and we really couldn't be having this annual event at a more critical time. The Optus cybersecurity breach has attracted the attention of the public and the media. Almost 10 million customers in Australia have had their information compromised in the hack. For many, this includes driver's licences, passports, and Medicare numbers. I know people who've been affected and you probably do too. Perhaps you're even one of them. Make no mistake, this has been a scary event for many. It's also just downright and convenient, leaving busy people having to check credit reports, replace personal documents, and overall just be on the lookout for dodgy activity. But this isn't the first major data breach in Australia, and it's not controversial to say this probably won't be the last one we'll see. In fact, a report by Privacy Australia found a ransomware attack is occurring every 11 seconds. If your business is caught up in a breach, what should you do and how can you protect yourself and your customers? Joining me now to hack into the issue, pun intended, is CPA Australia's head of public practise and SME, Keddie Waller. Keddie, welcome to the podcast.

Keddie Waller:
Thanks, Jen.

Jennifer Duke:
Firstly, I want you to explain to our listeners today exactly what we mean when we are talking about a data breach. How frequently is it happening? Who's behind these problems and which businesses are affected?

Keddie Waller:
A data breach is when personal information is accessed or disclosed about a person without their authorization. Or it may also be lost by the entity that held that information. Importantly, only where the entity has not been able to prevent the likely risk of serious harm as a result of the breach does it need to be reported by that entity. This year, we've seen a significant increase in incidents, as you're alluding to in your introduction, with new notifications of entities being compromised. And those responsible for the hacks being individuals, even teenagers, taking advantage of data on the dark web, through to sophisticated syndicates. As you said, we only have to look at the Optus incident to see how quickly one significant incident can actually impact a large proportion of our population.

Jennifer Duke:
That's definitely the case. And right now, there'll be some people listening who have been caught up in the Optus breach, as we mentioned, or another data leak. What are the risks customers face if their data is stolen?

Keddie Waller:
There's really a variety of risks that people can face. And this could be everything from their details being used to apply for a credit card or other financial services in their name. It could be to apply for benefits such as income support. And it could even be to apply for a passport. There are really serious consequences if there is a data breach with your personal information. And it really is an area that has to be taken seriously in terms of the response by the entity. But we also individually have accountability to take steps to protect our own personal information as well. And it really is important to understand that data theft is not the only risk. Phishing emails are still the biggest threat to individuals and businesses. And that's where personal information might be accessed through that is contained in an email inbox for example. Last year the Australian Centre for Cybersecurity reported that the average loss per successful phishing incident was more than $50,000.

Jennifer Duke:
Large businesses like Optus but also the banks, obviously collect huge amounts of information. But they also typically have a lot of resources at their disposal to protect this information. Even these corporate giants are subject to attack. Where does this leave small and medium businesses?

Keddie Waller:
It really does highlight the significant risks that small businesses and medium businesses will face in this space as well, Jen. The ACSC actually reported a 13% increase in cyber crime last year. What does that mean in real terms? It means that there's one incident every eight minutes. I mean, that statistic alone is extremely alarming. And if you think about ransomware, that continues to evolve and grow in sophistication almost daily. It really does show the importance of this area. And it really is imperative that small businesses take the right steps to protect themselves, their business and their staff and clients.

Jennifer Duke:
Data really is, of course, the new oil and it's very hard to do business without it. How damaging can a hack actually be for a business?

Keddie Waller:
You've really hit the nail on the head here, Jen. Data is the new oil. Every business holds data can be exploited. This could be something from as simple as a hacker breaching into your system and actually impersonating a staff member. And putting through, for example, via email, a request to change their details for their pay. Or using that information to access your supplies or your clients and send them a fake invoice for payment. We've spoke a lot about the ACSC and the different statistics they're collecting. They're actually saying that the financial loss on average for a business from a breach is currently over $33,000. But when you think about what could actually happen to a business during a breach, this figure could be significantly higher, if you are shut down for a period while you're being investigated or recovering from that breach. And that might be on average for a month, for example, depending on the nature of your business. There's also the significant reputational damage to your business and that is not just an immediate but a longer term impact. The statistics are actually showing us that some small businesses just will not survive a cyber attack.

Jennifer Duke:
That's pretty miserable. What should a business do if they think that they have unfortunately been subject to a breach?

Keddie Waller:
The first step is really to check if there is a breach and whether you need to report that. To do that, you can visit the office of the Australian Information Commissioner and follow their guidance. And you have to let them know your organization's agency or name, your contact details, a description of the data breach that has occurred, the kinds of information that's been involved. As we've seen with Optus, it could be driver's licence, personal information such as Medicare. And then you have to provide recommendations to that individual about the steps that they should actually take in response to that data breach. If you hold cyber insurance, I would also recommend one of the first things you do is contact your broker because they will be able to give you guidance. And if your cyber insurance has, for example, access to specialists, they'll be able to come in and actually start doing some investigations into your systems. If you don't have cyber insurance, then I recommend you call your IT support for that same guidance. Importantly, one thing you should not do is immediately restore your previous data backup. What this actually can do is wipe any trace of how someone actually accessed your system or what data's actually been accessed during that breach. Like I said, the first thing to do is check your responsibilities legally and then call in the specialist for help.

Jennifer Duke:
That's all really good advice for after the breach has occurred. But we know that businesses want to protect their customers right now. They're probably feeling a little bit overwhelmed listening to this. Let's go back to the basics for a minute. I know CPA Australia has a cybersecurity hub that's a good source of resources for business. That link will be in the show notes for anyone who wants to check it out. But what should businesses do right now to protect their own data and that of their customers? Can you step us through what those businesses should be doing?

Keddie Waller:
Yeah, absolutely, Jen. And like you said, we do have that cybersecurity hub and it has great information. And one of the things that is in that hub is a self-assessment checklist. Now, this is a checklist in a traffic light system. It's available to everyone, whether you're a member of CPA Australia or not. And what you should be actually doing is working through that checklist and aiming to at least answer every question in red as a yes. Now, this will cover things like procedures to ensure all of your devices are up to date, including hardware and software. Because things like patches are important to actually help protect your data. You also need to think about how you can protect your accounts using things like multifactor authentication, including other things like antivirus software installed on your systems. And making sure you are regularly backing up your data, be it to the cloud or also to an external hard drive. Now, they're all important things you can do to protect your business, but the number one thing you can do is actually invest in training for your staff. Something like 99% of breaches that happen in small business are actually a result of human error. It's not something they're doing malicious. It is just doing something like clicking on a phishing email and not understanding that it wasn't actually a real email from a supplier. If you can invest in your staff and teach them how to spot phishing emails and other attacks, how to protect data by going through some of these processes, implementing steps such as having verbal confirmation before you're talking and paying an invoice from a supplier, you will actually help protect your business from the biggest risk. And like I said, that is human error.

Jennifer Duke:
I think that's all really good advice. One of the things that keeps coming up quite regularly is whether or not that data should be collected or held onto in the first place. What does best practice look like in terms of the sort of information collected by businesses and how it's stored? And when should it be deleted?

Keddie Waller:
Jen, I'm going to confess, I'm definitely not the expert in this area. And it actually is quite complex depending on the nature of your business and the IT infrastructure of your business as well. But there are some key things you need to know. For example, you need to know where your data is stored. Which jurisdiction is it being held? Because there might be specific laws that apply to the storage of that data. You need to have backups that can be stored offline and online. In the cloud and also those external backups, those hard drive backups. You need to have and aim to have at least one copy of your data accessible at all times, if you can store that in a separate location. And that way, you actually can get back up and running and access to your systems if you do suffer a cyber attack. What is really important though, you should only retain data that you're legally required to do so. For example, if you're a tax practitioner, you generally need to only retain your client's records for a period of five years. If you think about Optus, it was more than 10 years on file some of the information that was being held and that's had a significant impact. There is also guidance from the OAIC about the information on how to destroy personal information. And noting that there actually are some legal obligations depending on this type of the information that you're actually holding as to how that information must be destroyed. As I said, I'd recommend getting some guidance in this space and you can visit www.oaic.gov.au for further information.

Jennifer Duke:
Obviously, even with strong defence mechanisms in place, there's still a risk for businesses. One option that I think you've referenced already but that I hear a lot is to simply take out cybersecurity insurance. Can you explain to us how that works? Is it a viable suggestion for businesses of all sizes? And doesn't it just act as a bandaid after customers have already been affected?

Keddie Waller:
Yeah, so Jen, cybersecurity insurance can actually provide a lot of support for a business if they have actually experienced a cyber breach. Like you said, this is a mechanism that comes in after the effect, but it will actually provide support, including financial and sometimes forensic, a cyber specialist to help you understand how the attack has occurred and help protect your business in the future. What we have actually seen in this year is the market heightened considerably. And that's just because of the number of incidents that happen and continue to climb throughout the year. And what that has actually had is a flow on impact. Premiums are now three to five times more expensive than they were at the start of this year. The other things we're seeing is that insurers and underwriters are actually putting in place a number of criteria that you must have in place before you can access cybersecurity insurance. If you think back to that checklist I spoke about earlier and some of those red questions, that traffic light system. If you're not going through and having some of those things in place, you won't be actually able to access that cover. It does actually come into effect after the incident. But because of the steps you have to take to access it to actually go through that underwriting criteria, like patching and some of those other steps and procedures, and actually providing the financial support, if you do suffer a breach, it can actually be a really worthwhile asset to a business.

Jennifer Duke:
Are there any other protections that businesses should consider alongside this?

Keddie Waller:
Yeah, absolutely. As we were just saying, cybersecurity insurance is something that is going to support you post an event happening. What you actually want to do is prevent your business from being a subject of attack. It will be the number one risk for all businesses at the moment. There are so many great resources that everyone can access that are complementary for small business and individuals. The Australian Centre for Cybersecurity has really great resources that go through some of these steps for individuals and for small businesses. And it really is something that we need to take personal accountability for. CPA Australia also has a cyber hub. We have free e-learning for our members as well. And they cover topics such as building a cybersecurity strategy or responding to a cybersecurity event. But we also know that small businesses are really time poor. And we've got other challenges at the moment, like staff shortages. And if this is not an area of expertise or passion for you, then it really could be worth investing in some special advice to make sure you and your practice have the right protections in place and make it harder for you to become a victim.

Jennifer Duke:
Definitely. I think advice is always a crucial thing for every business. It sounds like there's an awful lot that they have to think about at the moment in navigating this space. Do you have any final tips for business owners who are listening?

Keddie Waller:
Yeah, definitely. Look, I think the one thing to take away from this is that cybersecurity and the sophistication of the risks that you can face is rapidly evolving. This is not an area that you can put a strategy in place and set and forget. You need to have an up-to-date response plan, and you need to continually invest in training to support your staff. My key message would be stay engaged, stay informed, and practise what you and your team would need to do in case you do suffer a breach.

Jennifer Duke:
Definitely. Keddie, this is clearly not an issue that's going to go away anytime soon, but that is all we have time for today. Thank you for joining me. For all our listeners, if you want to access CPA Australia's cybersecurity hub, there will be a link in the show notes. If you've got a question about any of the topics we've discussed, any of CPA Australia's policy and advocacy work, or you'd like to suggest a topic for With Interest, please email [email protected].

Speaker 1:
Thank you for listening to this week's episode of With Interest. So you don't miss an episode, please subscribe to the CPA Australia podcast on Apple Podcasts, Spotify, or Google Podcasts.