Australian businesses know their cybersecurity has never been more vital. Yet, businesses are increasingly falling prey to cybercriminals, losing hundreds of millions of dollars every year (1). When there is so much at stake, how are business leaders managing the ongoing threat and safeguarding future growth?
Cybercrime (2) is on the rise in Australia, with a breach now reported every seven minutes, according to the Australian Cyber Security Centre (ACSC)(3).
Its data shows not only is cybercrime becoming more frequent, but it is also growing more expensive. Last year, small and medium businesses lost an average of $39,000 and $88,000 respectively, per reported breach — and the bigger a business, the more at risk it may be.
“Larger businesses tend to attract exponential interest from fraudsters. Their turnover might be one hundred times larger than another business, but they are 1,000 times more likely to be a target,” says Sam Crowther, founder and chief executive of cybersecurity firm Kasada.
“From their point of view, the risks are similar but the rewards on offer are far bigger so they think that they might as well go for the jackpot.”
There is far more at stake however than a one-off financial loss. Even if a business can sustain the immediate fallout, it may take months or even years to rehabilitate its image, says Lorenzo Schirru, Head of Fraud, Strategy, Risk and Governance at Macquarie’s Banking and Financial Services.
“The damage to a business’ reputation and brand can be enormous. There can be customer attrition and customers may openly question your business and ask, ‘well, am I safe with you?”
Eli Glotzer, Head of New and Emerging Growth Industries at Macquarie Business Banking, says cybersecurity has become “one of the key challenges for small to medium-sized enterprise” and one business owners cannot afford to be complacent about.
“If you were unable to trade for a week, if you couldn’t access any systems, or if you incurred a significant financial loss, would your business be able to survive?” asks Glotzer.
“If the answer is ‘no’, then the next question is logical. What are you doing to mitigate that risk?”
Protect your ‘primary asset’
A spate of recent high-profile data breaches underlined the danger that such attacks pose to both businesses and clients alike.
In some cases, criminals may pursue a ransom while in others they might then use customer information to target individuals directly.
“We’ve recently seen a massive uptick in attempts to crack into people’s accounts,” says Crowther. “They’re targeting retailers, trying to get access to customer accounts and steal credentials or steal any credit they might have.”
As a result, businesses need to be on high alert. Schirru says it is essential customer data is treated as a business priority. Key to this is clarifying what information the business actually needs from customers and what their responsibilities are when recording it.
“If they securely store customer data — and only hold customer details they actually need — then even if they were to be targeted for a breach, they’re less likely to actually suffer any type of information loss and, consequently, a financial loss.”
Mitigate this $227 million threat
Often an attempt on a business will first show up in an inbox, with 91% of all cyberattacks starting with email (4), according to Microsoft.
One of the most common methods is known as a Business Email Compromise attack in which criminals impersonate a known person in order to fraudulently obtain access or money — sometimes even sending a message from an authentic email address.
In Australia, they cost businesses $227 million in 2021, the most of any scam affecting businesses, according to the ACCC.(5)
In one example, Glotzer explains that a property buyer received an invoice they were expecting from an agency and paid over $50,000 into the account nominated in the invoice. The email address the communications originated from was legitimate, but the bank details were not. The money was diverted immediately from the nominated bank account and stolen from the property buyer.
In this instance, the customer willingly transferred the money, albeit unknowingly to the wrong account. Not only did the property buyer lose their money, but they also still owed the sum transferred into the fraudster’s account to the legitimate vendor.
In sectors where substantial sums of money are commonly being transferred, the risks posed by these types of scams are particularly acute.
“If your business is making large payments to suppliers and they are writing to you to confirm that they’ve changed their banking details, how are you validating the legitimacy of this information? What are the processes that you are identifying and establishing to help mitigate the risk of fraud?” says Glotzer.
One simple way is to use agreed and distinct communication methods.
“If you receive a change of account message from a supplier, standard practice should be to contact their business verbally to validate the communication and account details, to make sure it’s legitimate. And check that the number that you call on the invoice matches your system records, as fraud is increasingly sophisticated, and seemingly authentic. It might take a little extra effort, but it could save your business financially.”
Strengthen your weakest link
Types of attack can differ, but many rely on the same things to be successful: human error. In any process, people are going to be a primary target.
“If you look at scams and the way that they’ve evolved, it’s all around social engineering,” says Schirru. “Why would I bother trying to break into your house for example if I can convince you to open the front door and help me load the truck?”
To that end, all it takes is one staff member to fall victim to expose the entire business. Business owners cannot monitor every threat their entity faces but they can ensure their employees’ training is up to speed on how to spot a warning sign.
This might involve running simulations of phishing emails to check that staff are recognising red flags— such as spelling mistakes, urgent language, and dubious links — and reporting anything suspicious they might receive. In other cases, it might be ensuring you have systems in place for dealing with incoming calls.
Businesses need to remain vigilant and ensure they are validating who they’re speaking with when dealing with external communications.
Partner up
Not every small business has the scale to employ a full cybersecurity division, but that does not mean they do not have other resources at their disposal.
“Most businesses would be working with a managed service provider, or MSP. Those are there to help businesses manage documents in the cloud, their websites, their cyber risk frameworks and data storage practices,” says Glotzer.
“Businesses should be thinking about how they’re partnering with their MSPs and making sure they have a clear checklist of the things you want them to be covering and advising you on.”
In an inflationary environment, business leaders may be looking to cut as many costs as they can, but they cannot risk skimping on security.
“You need to look at it like a form of insurance or business continuity plan, where you’re paying a premium to help protect against huge downside risk,” says Glotzer.
“Any asset that has a value should be protected, be it personal property, or a business. People wouldn’t consider leaving their home unnecessarily vulnerable to theft. Cybersecurity protects business value, and client trust.”
In fact, if costs are a concern, a compelling business case could be made for engaging external partners.
“It can be really advantageous because it’s usually far cheaper and it means you get access to far more experience and knowledge than you would ever be able to build internally,” says Crowther.
Prepare for the worst
While business leaders are treating cybersecurity as a key priority, things can still go wrong. In case they do, it is crucial contingency plans are ready to go.
“If there’s a fire, employees know that they’ll need to evacuate the building and meet at a certain location down the road. The same principles go for your cybersecurity,” says Schirru.
“You’ve got to have playbooks in place on how to respond to an event. That might involve things around who to report to, what cascading communications look like and what other prudent risk management practices are there.”
For those plans to kick into action, there must also be a culture of transparency. Mistakes inevitably will be made so staff need to feel comfortable reporting them.
“Once someone discovers an event, they have to make it known as quickly as possible so that you can actually do something about it,” says Schirru.
That should include informing your bank — and possibly your partners and suppliers — about what has happened, he adds.
“If something has happened to one of our Business Banking customers, which could ultimately impact their customers, then that is something they need to bring to our attention as quickly as they can, so that we can find out first what happened, what the scale of it is and what we can do to remediate.”
While banks cannot advise a business directly, Macquarie may be able to direct customers to its fraud team if they are worried about a particular event or compromise.
But even when things go wrong, Schirru reminds customers they should never disclose their banking details, passwords or security codes to anyone, including their own bank.
Work backwards
When assessing their cybersecurity, robust businesses start by analysing where the biggest risks lie.
“You have got to understand what is most valuable and ask yourself what someone would want to steal and that will change industry to industry. For law firms it might be sensitive documents whereas for a construction company it could be intellectual property,” says Crowther.
“So, you rank your assets in terms of what could hurt you, whether it’s reputational risk or losing a competitive advantage, and then you figure out your strategy to defend against it rather than the other way around.”
There are no guarantees that what works today will work tomorrow. Businesses should be periodically checking that they have adequate protections in place.
“There is never going to be a single way to protect against cyber criminality. It is important to agree on the governance frameworks that businesses have to help manage ongoing risk,” says Glotzer.
“The risks will evolve as cyber criminals get better at what they do. It’s imperative to stay abreast of change.”
Key takeaways
- Validate and check: Establish and follow set processes. Make sure staff are appropriately trained to detect red flags, monitor external communications, and know how to treat — and where to report — anything suspicious.
- Lean on partners: Check your systems and talk to your service providers to understand what you need to do to safeguard your business, its reputation and future growth.
- Assess and prepare: Regularly review your cyber systems to ensure you are prepared to prevent and address any potential cyber breaches.
Toolkit
To discuss any opportunities for your business, please speak with your Macquarie Bank Relationship Manager or request a call.
To learn more about ways to protect your business contact Macquarie Bank. To discuss your property’s strata management needs or receive a FREE management proposal contact our friendly team. We also offer more helpful resources and community living news in our FREE newsletter.