Realise Business recently teamed up with the Sutherland Shire Business Chamber to host a panel of cybersecurity experts to equip small business owners with knowledge and skills to protect themselves online.
Speakers included Skye Theodorou, a business advisor from the office of the NSW Small Business Commissioner; Samea Maakrun, owner of Sasy ‘n Savy; Louise Bavin, a lawyer from Australian Business Lawyers & Advisors; and Jeremy Nelson, the director of Minos Technology.
There was a lot of useful information raised at the event and we have broken it down into a number of highlights:
The stats | The latest insights into cybercrime and Australian businesses
Theodorou spoke about the recent report released by the NSW Small Business Commissioner into cyber safety that highlights some alarming statistics about small business’s relationship with cybersecurity:
- SMEs believe their limited online presence protects them from cybercrime (which is untrue as it’s estimated that 90% of all emails sent each day are spam)
- The cost of cybercrime in Australia is an estimated $1 billion each year
- Only 1 in 5 SME owner-operators purchase insurance products to protect them from cybercrime.
The victim | Cybercriminals who stole $130,000
Sasy ‘n Savy owner Samea Maakrun talked about her experience as a victim of cybercrime, describing just how easily $130k had been stolen from her. She believes that cybercriminals know how to easily hack into every single antivirus system available. She also recommended that people shouldn’t allow their Internet browser to save any of their passwords or credit card information.
The legal opinion | What is your business legally obligated to do in case of a cyberattack?
Louise Bavin spoke about the steps that businesses need to take if they’ve been hacked, describing the legal requirements that SMEs are under in terms of privacy policy and protection laws.
From February 2018, the Notifiable Data Breaches scheme will require private sector organisations with an annual turnover of more than $3 million and their related entities to report data breaches. Large corporations can face fines up to $1.8 million and individuals up to $360k for not reporting a data breach. Businesses need to immediately report data breaches to the Office of the Australian Information Commissioner, and they will also need to notify their customers and clients of the breach. Businesses can be held liable for an attack if they don’t demonstrate that they’ve undertaken reasonable cyber protection measures.
A data breach is “when personal information held by an entity is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference”.
Bavin emphasised that businesses are under the obligation to ensure the protection of their customers’ data, as they’re the custodians of their customers’ information.
Advice | How to protect yourself online
The last speaker, Jeremy Nelson, provided the audience with tips on how to ensure their safety online. He spoke about the need to keep software updated, likening it to a car that needs to be serviced every six months.
“You have to look at your software as an investment. If you set up a website and you don’t look after it, over time security holes will be identified in it and then hackers will start to punch holes in it.”
Nelson spoke on the importance of having a back-up – and making sure that the back-up is usable: “Back-up is one half of that equation. Testing the restore process on a regular basis is the other half.”
Jeremy’s top cybersecurity tips are:
- Antivirus software (while good for day-to-day use) shouldn’t be the only security that companies have
- Ensure that users don’t have more access than they need, and if an employee leaves the company, their profiles need to be deleted or frozen, and all of their passwords should be changed
- Hackers can break into a 6-character password in about 10 seconds. An 8-character password extends this to 5 hours. Hackers usually aren’t persistent enough to keep trying if it takes too long
- To protect against website redirection, companies should have up-to-date website software and security patches and have a back-up of their website to quickly restore it
- Fishing emails can be identified if they have poor spelling and grammar, if the images aren’t working, or if the link you click takes you to a URL that’s not affiliated with the company’s website
Key questions from the audiences
The panel was invited to answer the audience’s question, and they shared some informative answers.
How can a business know when a hacker is attacking?
Hacking, especially the brute force that hackers use to guess your passwords or other information, takes its toll and uses up resources. A business owner was alerted to an attack because they lost all connections to their printer for no obvious reason. If things are loading slowly or if you’ve lost connection to your devices, this may alert you to the fact that something isn’t right.
Is there any insurance for cyberattacks?
There is, and it’s expected that the cyber insurance market will grow after the recent WannaCry/WannaCrypt attack. Cyber insurance covers can vary depending on the type of business you do and it’s recommended that businesses do their research and find out what insurance best suits them.
What if you use e-commerce or another service and that gets hacked? Is it you or the e-commerce/service that’s at fault?
The onus is on the business or company, because at the end of the day, they’re the ones who are using the software and they went in knowing the risks.
—
Videos of each speaker have been released and you can find them here.
