Why small business needs to understand cybersecurity risks

Intro:
Hello, and welcome to the CPA Australia Podcast, your weekly source for accounting, education, career and leadership discussion.

Nigel Hedges:
Welcome, Damien and Tyler, to this podcast on cybersecurity, particularly with a theme on how this relates to small and medium businesses. There's a lot of evidence to show cyber attacks and its resultant damages from breaches, disruptions to business, cost to productivity, and the cost to recover are very real. So we'll dive into a few of these questions with you, if you don't mind. But first, I wouldn't mind if you could just tell us a little about yourselves, what got you into cybersecurity, and what your main focus right now is. Tyler, would you like to start?

Tyler J. Wise:
Sure, Nigel, yeah, and thanks for having me. So my cybersecurity journey probably a little bit different to the traditional one. I am a practising public accountant, and the reason cybersecurity is important to me is a bunch of years ago we suffered an attack. It was fairly uncommon, I guess, at the time. And I was very curious about what instigated it, where our information, our data went, and what was involved. There wasn't a huge amount of help out there. Not even the police were terribly concerned at the time. Obviously, it's a different story now. And so ever since then it's been a bit of a rabbit hole, I guess, if you like. Over the past 18 months, two years, I've been able to segue into another business that is, I guess, wholeheartedly with cybersecurity at its heart. We provide those services to other accountants and lawyers as such. Our main focus is raising the awareness and education around cybersecurity and trying to remove the inertia that is generally there for a lot of people.

Nigel Hedges:
That's fantastic. And look, it's a common theme, I suppose, that paralysis that people have when something like this happens, when they're not familiar with how to deal with it. So it's amazing that you were able to recover and take it to advantage. Damien, do you mind giving us a bit of introduction?

Damien Manuel:
Sure. Thanks, Nigel. I've been in cybersecurity for more than 25 years now. I originally got interested in computers when I was 11 and joined a hacker collective group, and then had an interesting experience which then led me to leave that hacker group when a biker turned up to extort floppy discs from me. I thought that wasn't a good thing to do as an 11 year old kid. But I got into cyber when I was much older. By trade, I'm a secondary science teacher. So it just goes to show that people in cybersecurity come in all shapes, forms and sizes. People come from different backgrounds. There are some people that are in cyber because they've got a policy and a legislative lens. Others are more of a risk and a governance perspective. And then you've got others that join it from a technical or even a leadership perspective. For me, the main focus is really around helping small to medium businesses become more cyber resilient, and that involves helping them to understand the risks and the tactics used by criminals and hostile foreign countries as well.

Nigel Hedges:
Great. And you're dead right, I think even before the skill shortage, and that's certainly an issue, but the need for diversity in this field is certainly playing an important role in making sure we're innovative and creative in what we do here. So thanks for that, both. So question for you, cybersecurity and cyber risk in recent times has certainly increased dramatically. What are your views of what are the biggest risks at the moment? And if I was ask a second question, do you think it differs from how SMB, small to medium business, and enterprises approach this?

Damien Manuel:
I think the biggest things at the moment are identity theft, ransomware and business email compromise. That's really for small to medium businesses, and large enterprises are equally impacted as well. The advantage, I guess, that large enterprises have is they'll tend to have more people from a cybersecurity perspective to help and assist, and they may be more mature from an organisation perspective as opposed to a small to medium business where being digital or having people with skills in cybersecurity is not a business focus or priority.
And I'd say if you look at it from a society perspective, the other big challenge we have is misinformation, which is people making mistakes around information and passing on incorrect information. Then you've got disinformation, which is the one that's really the most dangerous because it's really about putting false information out there intentionally as a form of propaganda to undermine and subvert democratic societies. And that is quite often used extensively by criminal syndicates and, more often than not, foreign hostile governments.

Nigel Hedges:
Wow, yeah, it certainly puts a lens on how important it is for us to know what the official resource channels are and be able to rely on those. Tyler, did you have any thoughts here?

Tyler J. Wise:
Yeah. I think I probably echo Damien's sentiments a lot there. I think from our sort of, I guess, niche that we're seeing is generally it's a lot of social engineering that is playing a big risk at the moment. And from that, the best example of that is those phishing attacks. Then from there, ransomware attacks and the data being compromised, encrypted, leaked, whatever it might be from that point.
But generally, there's just that lack of awareness, being able to identify what is a genuine email, text or voice message, whatever it might be, and just the level of sophistication that has been evidenced over the past 18 months particularly. There's just so much greater risk than there ever was because we're getting communication from so many platforms and people we previously haven't, and you don't quite know what's legitimate and what isn't. I think generally between the bigger business and the smaller businesses, the end result is the same and the criminal's after the same output. It just depends the infrastructure they've got and what those, I guess, attack vectors look like. But ultimately, from what we're seeing, it's that social engineering and ransomware attacks are just so prevalent at the moment.

Damien Manuel:
Yeah, and it-

Nigel Hedges:
Wise words.

Damien Manuel:
I know a guy who, something as simple as leaving their wallet in the car. The car got broken into and the wallet was stolen, and his identity was stolen, effectively. Somebody then opened up accounts in his name, racked up a bad credit rating in his name and a whole other sort of challenges. It's literally taken him over 12 months to try and get enough documentation and the evidence that he's kind of got his identity back to some extent, but every time he has to go to a bank, he's got to go through the rigmarole of explaining everything in terms of why there's a bad credit rating there and it was actually through fraudulent activity of somebody else.

Nigel Hedges:
That's incredible. Look, it really does impact not only businesses but individuals. I think there's 151,000 reports of cyber attacks in Australia, according to the Scamwatch website, with about $166 million lost, with 80 million of that in investment scams. So you've got two major delivery mechanisms being phishing and this sense of urgency you're seeing in the calls and SMSs, threats of life and arrest and fines. Certainly, hard to wade through.
I guess us being in the cybersecurity industry, we see a lot of this and it's easy to focus on this. But for SMBs and the small, medium businesses focusing on their business, that's what they're trying to do, cyber is, to some extent, a distraction and especially during recent times. Why do you think cyber is an important thing that small, medium businesses need to consider?

Tyler J. Wise:
I think the cybersecurity and just having an understanding of just an awareness of cyber, if you like, is really important because it's not thought of as one of those fundamental pillars of conducting business, but you see any business when they suffer an attack, their ability to conduct business is directly impacted. The average cost, even for small businesses, despite the ransomware, is in the vicinity of $750,000. So the cost is genuine. And so no business really has the capital to simply pause business and outlay nearly a million dollars. So not having that awareness or the understanding of cyber and cybersecurity can pose a really big impact on just your ability to conduct overall business. Forget the repercussions down the line, which can have a really big impact on your reputation and such, but just not having those fail-safe mechanisms in place from the onset is really consequential.
Even the awareness is one thing, but it's having it ingrained. Because like you just said then, Nigel, like that real sense of urgency. It was only yesterday where a client suffered a man-in-the-middle attack. They paid an invoice that had been altered. And so the details of the payment they made went to the actual vendor. And it was because it was that sense of urgency, "If you don't pay it, we won't deliver the goods in question." So they paid it, didn't bother to confirm the bank details. As a result, they obviously didn't get the goods because, as far as they were concerned, the invoice hadn't been paid. But they just weren't aware of those sorts of attacks and being aware of the strategies that these criminals will undertake in order to get your information and your money. So just that lack of awareness can have a really big impact financially, and then, but again, just your overall ability to conduct any kind of business.

Nigel Hedges:
Damien?

Damien Manuel:
Yeah. That business email compromise is a huge one, and you'd be surprised how effective that is in terms of scammers being able to trick people into paying money into other accounts. It's really important, I think, for small to medium businesses to realise that as we become more digitally connected and dependent, they really need to understand the consequences of the technology that they're using. And I don't mean it in terms of needing to know how to configure it, but needing to know how it could be abused or misused. So at least that way they've got an understanding of what criminals would typically do, or even hostile governments do, to try and trick organisations to parting with their money or giving those criminal syndicates access to your systems.
It's really, really important that people understand that the information that they have and the systems that they've got and the businesses that they own, while they think that it might not have any value in terms of the information that they've got to somebody else, there's always the ability for criminal syndicates to monetize information. So they might attack one of your suppliers and steal a customer list from there. They might attack you and then steal address details. They might attack somebody else and then get some other data. What they do is they aggregate all that information together and then it actually has more value that could be sold to other criminals or could be used for blackmailing purposes or for other sort of exploitation mechanisms.
So it's really important for SMEs to really understand that just because you might run a small business with 20 or 50 people, it doesn't mean that you're not going to be of interest to these criminal syndicates. A classic example is the whole third-party supply chain risk. A lot of small to medium businesses make up the supply chain of larger companies. And so the best way to attack a larger company is to go for the weakest link, which is attacking the smaller organisation which probably doesn't have the security controls or practises or business processes in place.

Nigel Hedges:
Interesting. Yeah, definitely. There's a very large accounting software provider that posted last year and I quote, "Local businesses, especially small and medium sized enterprises, will need to focus on security if they are to successfully and safely change their operating model in the face of the coronavirus pandemic." So certainly, the COVID scenario has acerbated these situations, which is probably related to something else I wanted to ask you both, and that's, I think we've covered some of the challenges already around third-party, for example, but are there any other challenges you think SMB, SME are having to address with cyber at the moment? And I guess more importantly, because all this doom and gloom is one thing, but are there kinds of solutions or resources that you think that small, medium businesses should be looking towards for help?

Tyler J. Wise:
What we're generally seeing, and touched on it before, is just that lack of education and awareness. Because we're familiar with the term, but we're not familiar with what it requires. It doesn't help that the media sensationalises so much of these cybersecurity attacks and such that it can feel overwhelming to everyday people, if you like. But I think the education doesn't need to be formalised or anything along those lines, and case in point, everything I've learnt is from diving headfirst, if you like. For me, where you're trying to help people, we point them into the direction of the... The government have some great resources out there. They're spread across a few sites, but generally we like to tell everybody go at least to cyber.gov.au. There's a whole bunch of resources on there. We try and encourage them to familiarise themselves with the essential eight. Because regardless of your business size, those core eight fundamental principles can really help improve your overall security.
So we try and make sure that they're aware that having a sound cybersecurity plan doesn't have to involve a big budget and that there are a lot of resources out there. They've just got to know where to look. We also really try and encourage people to make sure they've got an incident response plan. Because after an attack, there is that sense of violation. It's quite emotional, a sense of paralysis as well. So, if they can just step through what they need to do by having a document. Again, we mainly deal with accountants and lawyers, so we know that having something written down in black and white is something they can relate to and can step their way through. Having those things can just help them in the event that they do suffer an attack. Because we generally do hear it's not a case of if, it's when, which is, again, like you say, a bit of doom and gloom, but it's just one of those things. You've just got to plan. Then when it does happen, you can at least step through it and hope to come out the other side. But there are so many wonderful resources out there provided by the government because they are taking this cybersecurity and the cyber area very seriously.

Nigel Hedges:
Yeah. I suppose it being a global issue, but certainly in Australia, you're dead right, the cyber.gov.au website has links to small and medium businesses. There's business.gov.au also have some cybersecurity resources. And I noticed that the Tasmanian government with their Digital Ready website also has some very good information for beginners and curated for people that are fairly new to this. So you're absolutely right, there's lots of good government resources out there. Damien, did you have any perspective from an industry angle?

Damien Manuel:
Yeah. No, I do. I think the key thing is really for people in businesses to think of cybersecurity not as an IT challenge or a problem only. There is an element of an IT aspect to it, but it'd be good for them to think of it just like any other business risk. And that involves people aspect around education awareness, driving behavioural change within the organisation, looking at processes that might need to change in the organisation. That business email compromise that Tyler mentioned where invoices get changed. If you receive an email with a different bank account detail on it, rather than just processing it straight away, pick up the phone and call the person that you would normally speak to. Don't call the number that's listed in that document because that's often going to be the scammer's phone. So little business process changes like that as well help.
Then there's the technology side. From a resource perspective, like you said, there is a lot of information out there and it's really, how do you distil it down to find what are the gold nuggets that you really should be paying attention to or reading? Cyber.gov.au has a lot of good information. Sometimes it can be a little bit dry. It'd be nice if the government had a bit more of a tailored user-friendly sort of interface. There is something that Deakins announced last month, which they're working with Victorian government and CPA Australia around a digital innovation SME hub for businesses to pivot during a time of COVID and become a bit more cyber resilient.
You've got industry associations. There's a number of different ones of those, and they often hold events that you can go to. Sometimes those events are free and it's a good way to network with individuals that are in the industry. I think it's also a good way to get an understanding of the talent that's available in the market through those associations. Or even tapping into your local TAFEs or universities. They're often looking for ways to give hands-on skills, if you like, to some of the students that they're training. And so you may be able to pick up some students at next to nothing in terms of free internships and, in some cases, paid internships to help the business become a bit more cyber resilient.

Nigel Hedges:
Great. Some good suggestions there. I think we've talked about government resources and industry. There's also the community angle. In August, 2020, the Australian government released the Cyber Security Strategy. The purpose of that, in part, was to assist small and medium enterprises to grow and increase their cybersecurity awareness and capability, we've certainly talked about that, and also to assist with the large businesses and service providers who also provide assistance to SMBs with cybersecurity information and tools. Why do you think that collaboration is so important? And why you think the government has put a focus on that now?

Damien Manuel:
I think it's pretty important because cybersecurity is such a big problem. It can't be solved by one party alone. So it's not something that the government can solely solve. It's not something that citizens can solve. It's not something that SMEs or even large enterprises can solve in isolation. It's about all the different parts coming together and working together. If you look at from a government perspective, they've got a number of levers. They can impose regulations and legislation. They can put out policy statements, force the adoption of certain standards. They could use incentives such as government grants or tax incentives.
They could help shape the talent pipeline, which has got a longer three to five year play, by reducing course fees or making some courses free, like cybersecurity is at TAFE. There's also the education component that government can do around driving campaigns, a bit like road safety but in terms of digital online safety. Then from a citizen perspective, people have to take responsibility for their actions. When you do see something and it doesn't sound right or it doesn't feel right, chances are it's not going to be right. That Nigerian prince that's offering you a million dollars to put money into your bank account, it is clearly going to be a scam.

Nigel Hedges:
You mean that's not true?

Damien Manuel:
That's not true. And even things like they're getting very crafty where you'll get a fake email that looks like it's a DocuSign document that needs to be signed that could come from one of your clients. When, actually, when you look at the email address, you can actually see it's coming from a different location. Or your parcel has been delayed and you need to click on this link and add credit card details or supply additional information to get your parcel released. So it's an awareness, I guess, of trust less on the internet because there is a lot of individuals out there that are looking to make a buck off you. So there's that aspect.
Then from a business perspective, there's a duty of care, a duty of care to your staff, to your customers, to your suppliers. And if you become the weak link, it is something that's disadvantage to the whole group as a whole, because you are a key component of the supply chain. So don't think that being lax or a little bit slack about cybersecurity is okay, because, at the end of the day, it'll impact your business, your employees, shareholders if you're a listed company and it could negatively impact your reputation and the ability to get further contracts or work.

Nigel Hedges:
Good and interesting thoughts on, I guess, that government and industry angle. Tyler, I wondered from a boots on ground, and you gave an example a little earlier about how this has impacted a particular business, so what do you think this means? How can the government help with this collaboration? Do you have any thoughts there?

Tyler J. Wise:
Yeah. I think it's a really welcomed collaboration and an important one. I think the government realised that whenever a cyber attack happens to any business, anybody, there's a whole bunch of collateral damage, if you like, unsuspecting people being caught up in the data leak as an example or whatever it might be. And so I think they understand their role is a bit like a spider web, if you like. They've got to be the centre of it and making sure that it's all coming together.
Much like Damien said, we've all got a responsibility towards cybersecurity, and the government's just taking charge on this, trying to provide that leading hand to help everybody get on track. Without it, a cyber attack is a pretty lonely place, and we see a lot of businesses really reluctant to engage after one. They want to pretend that it hasn't happened. They feel victimised. And so I think now knowing that the support is there, that the government is constantly providing the resources and the education and confirming that it's okay, and okay in air quotes, if you like, just, again, helps with removing that inertia and getting people on the right track. Because, again, and not to repeat myself, but it really does come down to the fact that any cyber attack impacts more than just the designated victim. And so making sure that you can protect as many people as possible I think is really important. The government understanding that and leading that way is quite refreshing.

Damien Manuel:
Yeah. It's really about sharing information. Like, if you are in a group of other business leaders, don't be afraid to have a conversation around, "What have you seen? What kind of attacks have you experienced?" Because the more people share and communicate and the more people exchange information with each other, the more they'll learn and the better prepared they'll be.
Really, cybersecurity is, at this point in time, a bit like occupational health and safety was probably 25, 30 years ago. When I first got a job as a 15 year old while I was at school still, I worked for a company which was called McEwans, which is the precursor to Bunnings. And as a 15 year old, I was driving a forklift, unloading and loading trucks. From an occupational health and safety perspective, I didn't have a forklift driver's licence, and that kind of thing wouldn't be tolerated today. So it's a bit of a maturity journey that we're all on from a cybersecurity perspective. So think of cybersecurity like occupational health and safety, and it is going to mature over time.

Announcer:
We hope you're enjoying this CPA Australia Podcast so far. As business and finance rapidly transforms, so does leadership to drive recovery, adaptability and growth. From the 20th to the 22nd of October, join the global CPA Australia community at Virtual Congress to discover how you can play a significant role in a time of change. For more information, go to the link in the podcast show notes page.

Nigel Hedges:
So, gentlemen, we've talked about cyber especially from the risk perspective and how and why it's important. But we've seen some information, especially with AustCyber's report last year talking about cybersecurity as an enabler for the digital economy that Australia is going to be going through. Did you guys have any thoughts about that, cyber as an enabler rather than as a inhibitor?

Damien Manuel:
Yep, definitely. Look, cybersecurity is really there to help enable the business to do the things it needs to do but with lower risk. If you get cybersecurity people telling you, "No, you can't do that," you've got the wrong kind of people that you're working with. You really need to think of, cyber people should be saying, "Yes, you can do that. And the best way to do that is A, B, C," type of thing. One of the examples, I think, Nigel, that you use is brakes on a car, that brakes on a car, while they stop a car, they're there so you can accelerate and travel faster. So I think it's really important that people do understand that cybersecurity is not the department of no, it's the department of yes, but the safest way of achieving an outcome.
It's going to become more and more important as we look at data and some of the systems that we're starting to connect now, particularly from the ATO's perspective. They've got a lot of information now that they aggregate from different sectors, banking, they look at data analytics in terms of spending patterns and money that's going to people's accounts and how frequent. All that is made possible through digital technology and enabled through security to make it secure for them to get better at data and better intelligence on that information to make better decisions. So I think definitely, cybersecurity is an enabler.

Nigel Hedges:
Tyler, you have that fantastic background of being an accountant by practise and moving into cyber as a field of expertise. Does that resonate with you, cyber as an enabler?

Tyler J. Wise:
100%. That's one of, I guess, the key things we're trying to get over the line is that we're not trying to stop the productivity of a business, and that goes for any business. We're just trying to make sure that there's some level of cyber awareness and understanding, I guess, the dangers of getting it wrong. But conversely, because we have, I guess, we've been rather negative throughout this, but you get it right and then you've got these great foundations, a bit like when you build a house, I guess. If you just get it right at the beginning, or at any point, for that matter, it really enables your business to grow and go forward with a bit of confidence.
Without it, you can get the speed wobbles, if you like. And so not having a very good cyber strategy can cause you to come unstuck at some point. So we try to make sure that businesses are just aware of what they need and why they should have it, but at the same time not saying, "You need to stop what you're doing, tools down, and just focus solely on cyber attacks and cybersecurity," because that's not going to necessarily pay the bills for them. So it's dovetailing it into what they're doing and then allowing them to move forward with the confidence. Because, exactly like you said at the beginning, the economy has changed now. We do so much online. So it's just slotting in this cyber awareness and security to allow them to go forward with a lot more, again, confidence.

Nigel Hedges:
That's fantastic. And I love the house analogy. Okay. So we've talked about a lot of things and there's so many things that that folks can do, but if there was one thing, maybe one thing to start with that small and medium businesses could do in the next 12 months to help them with cyber, what would that be?

Tyler J. Wise:
I always like to start with the analogy, whenever we're speaking with someone, to say that the best day to plant a tree is today. And so we just want them to just make a start. A lot of times you don't quite know where to start and that's that whole inertia and paralysis, that can be it. So, again, the best place, we find, is just starting with awareness and education. So try and point them at a bunch of resources they can go, get into it under their own appetite and then start the discussions with their internal IT departments or whoever it might be.
We don't want the budget to be the constraint. We don't want really anything. We just want them to be making a start and improving. Because it's a constant journey, I think that much is for sure. And so if they can just, again, get going, hopefully the momentum will then see them introduce a lot more strategies, take it seriously and have those policies and procedures within their business to protect them moving forward. But, again, just trying to remove any kind of barriers to them making a start and hoping from there it gets the right momentum and moving forward they're a lot stronger and safer.

Nigel Hedges:
Damien?

Damien Manuel:
Can I be a bit cheeky and I'll do three? But I'll do one for each of the areas around people, process and technology. So just like Tyler said, around people, definitely around awareness and education. Because what you really want to get to is a point where that drives behavioural change and cultural change in the organisation. So people are a little bit more aware of the kinds of scams and how they might be manipulated to give somebody access to your business.
Then from a process perspective, as a business owner or the manager of your own business, think about how you, if you had to attack your own organisation, what are the areas that you would exploit from a process perspective? And think about how you might improve those business processes. Then from a technology side, really quick and simple, make sure you do automatic patch updates. Enable that on your system so that way they're always being updated as frequently as possible.

Nigel Hedges:
Fantastic.

Tyler J. Wise:
I really like that point. Sorry. So a nod to Damien, just for them to be looking at it from their own perspective, like, "How would I attack myself?" Because I think if you look at it from a computer point of view, I guess, is you know what's sensitive on your computer, what you wouldn't want anyone else to get or have access to. And so if you make them think about it from that point of view, that could really drive that change that you've mentioned.

Nigel Hedges:
That is fantastic. Damien, Tyler, really informative chat. Thank you so much. I've really appreciated your perspectives and insights into cybersecurity. Thank you very much.

Damien Manuel:
Thanks for having us.

Tyler J. Wise:
Thank you. It's a pleasure.

Outro:
Thanks for listening to the CPA Australia Podcast. For more information on today's episode, please visit the show notes at www.cpaaustralia.com.au/podcast. Never miss an episode by subscribing to our podcast on Apple Podcasts, Spotify, or Stitcher.