A recent security survey revealed that one in four small businesses in Australia fell victim to cybercrime in 2017, an increase of 25 percent from 2016 levels, when cybercrime affected one in five businesses1.
According to the Commonwealth Government’s Stay Smart online guide for small business2, cybercrime costs Australia around $1 billion per year, with 59 percent of Australian organisations having their business interrupted by cybercrime every month.
With statistics like those, now is the time, more than ever, that cybersecurity and safety measures are top of mind for business. In an age where everything can be done more conveniently online, it is vital to improve your business’s cybersecurity resilience so that your customers trust you with their precious personal information.
Here are some important steps to take.
Get better acquainted with the risks
No matter the size and scale of a cyberattack, the effects can be potentially catastrophic for your business. Attacks may include infections like viruses and malware or unauthorised access to your systems, as well as the systems of others. The effects of these can range from financial loss, like the theft of money and financial information, to business loss, which could include damage to your reputation and suffering significant downtime whilst you recover.
Familiarising yourself with how these attacks are carried out is a way to start minimising these online threats.
Maintain due diligence and tech infrastructure
There are tools and processes that exist to safeguard your business from cyberthreats and it is your responsibility to implement them.
As good practice, you should:
- Use spam filters to reduce the amount of spam and phishing emails that your business receives.
- Set up firewall security to protect your internal networks from the threats coming from the Internet and WiFi.
- Encrypt your data when stored or sent online, so only approved users can access it.
- Create strong passwords to protect access to your business devices, and change those passwords regularly.
- Consider cyber-insurance to protect your business against the costs and resultant downtime that may result from attacks.
Choose a cybersecurity partner
Personally keeping up-to-date with the latest in cybersecurity can be time consuming, however there are trusted companies out there dedicated to ensuring cybersecurity for small businesses.
An example of one of these is Trustwave, who offer TrustKeeper PCI Manager, an all-in-one security and PCI compliance product that helps protect your business from cyberthreats. It does so with a range of enterprise-level online tools including anti-virus, remote access security, point-of-sale device monitoring, mobile security, and more.
Stay compliant to a set of security standards
Ensuring you stay compliant with the requirements for companies receiving and storing credit card data is something that most businesses are not adhering to. The first step is to adopt a cybersecurity policy that says in clear and simple terms:
- What data you will collect and how;
- Where you will store it; and
- How you will protect it throughout its life.
The protections consist of technology, people and business processes.
A cybersecurity policy typically covers:
- Roles and responsibilities for cybersecurity in your business
- System and network configuration
- IT Change control policy – who can approve and make changes to computer systems
- Keeping details on systems processing credit cards and account data
- Patching of security vulnerabilities
- Security scanning of networks, websites and computers
- Keeping administration passwords secure and safe
- Data classification and handling
- What types of data do you hold?
- What form is it in? Electronic? Paper?
- Where do you store it?
- User acceptable use policy
- Password requirements
- Email standards
- Handling of sensitive data, removable media and technology
- Locking of devices
- Social Media and internal access standards
- Data Retention and Disposal
- Paper and electronic media handling
- Firewall and network administration
- Anti-Virus and endpoint protection
- Encryption policy
- Remote access
- Cloud systems
- Incident Response Plan
- Protecting devices at point-of-sale
- Risk assessment process
- Supplier requirements
- Use of PCI-DSS Level 1 suppliers to process cards
- Use of PA-DSS software for processing cards
- Approving and monitoring suppliers and contractors
Fortunately, you are not alone. The Merchant Trust Initiative provides a tool to generate a cybersecurity policy that is appropriate for your business.
The protections you need to put in place are well summarised by the PCI DSS security standard, and while it focuses on account data, the principles can be extended to be a comprehensive security and privacy management system. That’s why organisations that are PCI DSS compliant are less likely to be hacked and are less likely to suffer loss and damage to their customers’ trust.
Regularly update and review your security systems
As cyberthreats continue to evolve, so too do the security measures that exist to counteract them. It is important to regularly update applications, including anti-virus software, plugins and operating systems to fix any potential vulnerabilities that new and sophisticated cyberattacks may exploit.
It is also good practice to backup your business’s data regularly and retain the backup in a safe location, preferably protected or isolated from the device the data is being backed up from. This could be done by conducting an online backup via a cloud service or through an external storage device such as a USB or hard drive.
- Norton SMB Cyber Security Survey 2017
- Australian Financial Review, 13 August, 2018. More needs to be done by SMEs on cyber security: Angus Taylor