Cyber security remains a hot topic for businesses across the globe, with a recent report exploring how it affects small and medium-sized enterprises (SMEs) and start-ups. RSM’s recently released thinkBIG report focuses on what cyber security breaches mean for SMEs and start-up owners and how they can protect themselves.
In the report, RSM partner and privacy and security specialist Ashwin Pal warns these business owners against viewing size as a layer of protection.
“Smaller players tend to be acutely aware of their lack of resources, so it’s natural for them to assume criminals won’t have any interest in what they perceive to be slim pickings,” he says.
“But no individual or organisation is immune from cybercrime.
“If you are on the internet, you are vulnerable. A cybercriminal is just as happy to spend a day stealing $250,000 from four modestly sized start-ups with basic cyber defences as to spend a day stealing $1 million from a larger start-up with more sophisticated cyber defences.”
In recent years, supranational groups and governments have been tightening laws around the collection, storage and use of data, perhaps most notably in 2018 when the GDPR (Europe), CCPA (USA) and Notifiable Data Breaches Scheme (Australia) were introduced.
With businesses now required to notify the relevant regulator and any potentially impacted stakeholders of breaches, and sometimes slapped with hefty fines or penalties, the financial and reputational consequences are becoming increasingly catastrophic.
RSM’s thinkBIG report states while cyber security “remains more of an art than a science”, there are some basic precautions all business owners can take.
Failure to do so may see them facing regulators or the court without a leg to stand on and affect prospects of raising equity, achieving initial public offering (IPO), listing or getting acquired.
Despite SME and start-up owners being aware of the risks, many struggle to prioritise the issue according to the report.
But RSM in Canberra principal Michael O’Hehir is all too aware of how vulnerable business owners are, citing a client who recently fell foul of a security breach while undertaking a fit-out for new offices.
“There was a deposit to be paid of $250,000. My client received an invoice for payment which was legitimate,” Michael says.
“Within 10 minutes a new email was sent from the same address updating the invoice with ‘corrected’ payment details, stating they recently changed banks and had used the old bank details.
“The client paid and only realised there was a problem when the sender checked up on payment the next day.”
Though the bank was able to recover the full deposit for Michael’s client in this instance, he says a near miss involving a quarter of a million dollars is “very traumatic”.
After combing through the annual reports of the 271 companies listed on the ASX during the past three financial years, the RSM report also concluded cyber attacks were far more widespread than we realised.
A staggering 83 per cent of surveyed organisations suffered a ransomware breach between 2017 and 2022.
Of those organisations, 32 per cent publicly disclosed the ransomware attack.
The average time it took Australian companies to detect and contain a data breach was 311 days and the average cost of an attack in 2021 was $3.7 million.
Though rarely reported in the media, cyber attacks occur every day of the week, sometimes with life-altering consequences.
“Similar events like the one that affected my client have been known to happen at legal firms for deposits on properties,” Michael says.
“My client now rings before any major or irregular payment is made.”
This case study illustrates just one of the more granular precautions business owners can take to protect themselves under three broad strokes summarised in the thinkBIG report – understanding your duties, taking action and remaining alert to emerging threats.
There is no “one-size fits all” approach to cyber security, and companies should consider engaging external experts to get ahead of their risks – an investment that can come in well under $3.7 million.
Contact RSM in Canberra for a comprehensive assessment and advice for your SME’s current cyber security needs from some of Australia’s most respected cyber security experts.