With more than 2.1 million small businesses in Australia
, it’s no wonder they’re perceived as the engine room of our national economy. While they have a pivotal role to play in advancing our financial future, many small business owners will freely admit that they’re not technology experts. This digital knowledge gap makes small businesses an attractive target for cybercriminals looking to use small businesses as a back door to acquire prized data from within larger enterprises. It’s commonly known as logistical fraud and is creating a cybersecurity blind spot in Australia, with many small businesses unwittingly acting as third-party providers to larger organisations.
U.S. retailer Target suffered a data breach when cybercriminals gained access to the retailer’s system by way of stolen credentials from a third-party vendor. Over 70 million customers had their data compromised. In Target’s 2016 annual financial report they stated
that the total cost of the breach was USD $292 million. It’s fair to conclude that no one was knocking down the door to do business with the supplier at fault after this breach made headline news.
If you are a small business and not taking the necessary steps to secure your business, it could significantly jeopardise your relationships with existing customers. Additionally, irreversible reputational damage could mean losing important contracts with larger enterprises.
Our Canon Business Readiness Index
suggests there is room for improvement when it comes to smaller businesses protecting their information security, revealing that smaller businesses are the least concerned about data security. It is possible that this stems from a general lack of awareness around the scale of cybersecurity issues, with only one in five (19%) conscious of and prepared for the national data breach notification scheme that came into effect in February.
The consensus among security professionals is that it’s now a case of ‘when’ and not ‘if’ businesses experiences a breach. The fact that half of Australian small businesses are only ‘slightly’ or ‘not at all’ concerned about potential upcoming breaches is a little concerning.
Mandatory data breach disclosure legislation increases the pressure on smaller providers to elevate their security controls in line with those of larger strategic business partners.
So what are some of the biggest threats facing businesses today?
Gone are the days of the Nigerian Prince scam. Adversaries have become more sophisticated and are wielding an array of techniques in an attempt to penetrate businesses. Which threats pose the greatest risk to small businesses and inadvertently the larger organisations they deal with?
- Spear phishing – This is a social engineering technique designed to deceive users. It’s typically carried out by email spoofing. It often directs people to enter personal information into a fraudulent website. If executed by professional cybercriminals, the site will look and feel identical to the legitimate source with the only noticeable difference being the URL of the website in question. Earlier this year it was reported that real estate agents and home buyers in Victoria were being targeted. The scam asked home buyers to deposit funds into a bank account, with some losing more than $200,000.
- Whaling – The term ‘whaling’ refers to the size of the targets relative to those of typical phishing attacks, specifically targets senior management such as the CEO, CFO or other executives who hold the keys to the kingdom. Whalers are likely to play a long game, watching and waiting, to really understand your people and your business. Their sophistication makes it easy to fall prey. In Austria, a CEO of an aircraft parts manufacturer was sacked after he fell victim to a whaling attack and lost his company more than $50 million AUD.
- Ransomware – This is a type of malware which locks computers or files until people pay a ransom fee. Unfortunately, coughing up the pennies is no guarantee that cybercriminals will unlock files. The ransom demand usually pales in comparison to the cost of downtime these attacks cause. In May 2017, a worldwide ransomware attack dubbed WannaCry affected more than 200,000 computers across 150 countries. The estimated damage was measured in billions of dollars.
If in doubt, ask!
In a volatile and rapidly evolving threat landscape, how can you defend your business against these malicious attacks, protecting your vital business and customer data?
The Australian Signals Directorate’s Essential Eight (ASD8) is a good starting point. This is a list of practical actions that will help make your computers more secure. But security must also be part of your company culture to reduce the risk that Helen in procurement or Paul in marketing will unsuspectingly click on a malicious link. Everybody has a role to play.
When working with third-party suppliers, make sure you ask how they will protect your data. It’s essential to ensure they have adequate security controls and mechanisms in place. The rule of thumb is to ask now rather than getting a nasty surprise later. No one wants to fall victim to logistical fraud.
If you’re looking to bolster your defences, find out about Canon’s IT Security Essentials Assessment
. Tested against the ASD8, this cybersecurity audit will show how you rate and provide practical guidance on increasing protections.