You’ll be aware of the dangers of cyber-attacks, but do you know the real risk to your business and what it means to be cyber-resilient?
The reality is, no business or organisation is truly safe from cyber-attacks, but there are steps you can take to be more resilient, including having the ability to respond to an attack efficiently and quickly.
Good risk management principles apply. Conduct risk assessments in relation to your cyber-security. Determine the likely risk and look at the cost versus benefit of implementing protection strategies.
This might be an old chestnut, but it should be a regular agenda in boardrooms and partner meetings.
If you have any doubt that this is a serious issue for your business, consider these statistics from the Australian Government on the cost of cybercrime:
• 33 per cent of Australian businesses experience a cyber-crime.
• The average direct cost of a cyber-crime attack on a business is $276,000 (yes, that much!). 53 per cent of that cost is on detection and recovery.
• 50 per cent of the costs of attacks are caused by web-based attacks and insiders.
• There are indirect costs to businesses too, including 40 per cent business disruption, 29 per cent information loss, 29 per cent productivity loss, 25 per cent revenue loss and 4% equipment damage.
• The average time to resolve an attack is 23 days (51 days if the attack was a malicious insider, employee or contractor).
In a 2015 study, US-based Ponemon Institute questioned 30 large Australian organisations and found that each organisation underwent an average of 1.6 successful attacks every week. Ponemon said the average annual cost for organisations across all industry sectors was $4.3 million. The study found business disruption was the largest component of the external cost of breaches, at 40 per cent of the total, followed by information loss at 29 per cent, and revenue loss at 25 per cent.
2017 research by security software firm, Norton shows cyber-attacks are costing small businesses in Australia an average of $6,600 per attack.
The SMB Cyber Security Survey found one in five small businesses were attacked during the previous year, with only 14 per cent covered by a cyber insurance policy. For micro-small businesses, this figure shrank to 3 per cent.The research also found that the biggest impact of cyber-attacks on small businesses was downtime (40 per cent), followed by the expense of re-doing lost work (26 per cent) and inconvenience (24 per cent).
Ignore the issue and it could be very costly to your business. Here are three important steps in any cyber resilience plan.
1. Understand why someone would want to attack your business. Assess the information you hold. Most attacks are for monetary gain, but there can be other reasons for attacks. What is of value or at risk? Who is likely to attack and what have they got to gain from an attack?
2. Educate your staff. Cybersecurity should be a ‘whole of business’ approach. It is not the job of one person. Have good security policies and procedures and remind staff regularly to follow them. Explain why they are necessary and the impact on them if there is an attack; this will increase the likelihood of compliance. Simple things like not clicking on attachments from an unknown sender can make a huge difference.
3. Have the ability to detect whether you have been attacked. It is common that victims often don’t know they have been ‘hacked’ until weeks or even months after the event. Have the right software with the right security information and event monitoring for your business in place. It is good practice to carry out regular vulnerability scans and penetration tests. These will assist you to identify any weaknesses that may be exploited and allows you to address them before they become an issue.
Cyber-threats are evolving and so should your business’ response. Unfortunately, cyber attackers have managed to stay a step ahead of the cyber defender. While no protection system or cyber-security culture can guarantee absolute protection, the adoption of ‘holistic’ cyber resilience will substantially improve your business’ chance of managing cyber risks and reducing the damage to your reputation, credibility and bottom line.
Larger businesses have dedicated CIO’s who focus on cyber security issues. For small to medium (SME) businesses, there are external experts that can help you and keep abreast of the latest types of attacks. They have devised and implemented solutions for other businesses which make for greater efficiencies and success. This is one area where it is definitely worth investing in some external expertise.
Scott Edden, Partner, Business Performance Improvement at Pitcher Partners.
Scott Edden is a partner for Pitcher Partners, an accounting and business advisory firm based in the Hunter Valley.
Scott specialises in helping businesses make decisions and implement strategies to achieve profitable and sustainable growth. Scott has a Bachelor of Commerce from the University of Newcastle, is a Fellow of Chartered Accountants Australia and New Zealand and is a Member of the Australian Institute of Company Directors.