Small businesses are the backbone of the Australian economy. They create around 7 million jobs, contribute to 57 per cent of Australia’s GDP, and cement our reputation as a nation of entrepreneurs. They are also the least equipped to deal with a cyber-attack.
In February this year, ESET Research Labs and Symantec reported they had detected a new data wiping malicious software (HermeticWiper malware) on hundreds of machines in Eastern Europe. It was not clear how many networks were affected or who was targeted exactly. Further investigation found the malware timestamp showed it was created in December last year.
Why is that important for Australia and our small and mid-market business economy?
From recent times we know that attacks on critical infrastructure, services organisations and health organisations can represent a huge challenge. These cause not only technical issues but more importantly impact the lives of many people as well as cause enormous economic damage.
Businesses have several options when it comes down to immediate cyber resilience, even if they haven’t achieved a level of cyber maturity and are still in a planning phase. It is important to act quickly, and small and mid-market organisation can leverage quick tips and advice to help them to tackle immediate threats and vulnerabilities.
What to do to prepare if you are a small-medium business – practical steps
First, the advice from the cyber experts is the same: business leaders need to review their cyber insurance policies for the implications of any business interruption from a cyber incident.
It’s likely their insurer has exclusions for acts of war, or acts deemed to be taken by a nation state. If their cyber insurance policies do have these carveouts then that further raises the importance of making sure their internal business processes are ready to minimise the severity and duration of any cyber incident.
Second, if the organisation is already on a path to align or be compliant with any standard, regulation or guideline with a cyber maturity model then great. Review and see if you can speed up or prioritise the most critical controls and implement them faster to minimise your exposure.
If your organisation doesn’t have a current cyber framework then think about small but important steps to minimise risk.
The following are six key steps an SME can take to manage a cyber incident.
- Lock down your network. Switch on multi factor authorisation (MFA) on your critical systems ASAP. Microsoft365 doesn’t have it by default so investigate it with your IT staff or IT provider as it is usually only for admin accounts. If you do not use Microsoft, explore other MFA providers such as LastPass, 1Password, OneLogin, Authy, Google Authenticator, Cyberark, RSA SecurID etc., just to name a few.
- If you have difficulties with MFA consider implementing a password management tool and ensure your passwords are complex enough (usually over 8 characters, including numbers and special characters). A simple precaution is to change passwords immediately and request your staff to do so as well.
- Run a quick training session with your staff to warn them (yes, once again!) about the possibility of phishing attacks and the importance of not clicking on links in suspicious emails, even if the emails look legitimate. Double check and encourage ‘better be safe than be sorry’ attitude.
- Ask your IT or IT provider to patch your external facing and business critical software immediately as a matter of importance.
- Expect Ransomware attacks and Data Destruction attacks and to mitigate the risks of those ensure your backups are up to date and isolated from your main network, and properly protected.
- Ramp up your response capability or if you do not have one reach out to your IT provider. But make sure you have an internal communication protocol you can quickly deploy in time of need.
Being prepared is a milestone to resilience and can make a huge difference in protecting your business during difficult times.