‘Surprisingly vulnerable’: Cyber expert rings alarm on gaping holes in Aussie small businesses
Small Aussie businesses have glaring holes in their cyber security, and it’s costing them dearly as tougher penalties take effect.
The average cost of an all-too-common cyber attack on Australian small businesses is at least $50,000, a cyber security firm has found.
As federal regulations tighten to inflict larger punishments on businesses who do not have their security up to scratch, a huge majority of Australian small-to-medium businesses still have weak digital protection.
Sydney-based company ViCyber uses AI to do cyber health checks on small businesses, and co-founder Aastha Gupta is seeing gaping vulnerabilities daily.
“We have to push our businesses to be more protected because our consumers are protected by our businesses,” Dr Gupta said.
Government research shows about half of Australian businesses (with fewer than 200 staff) are taking a DIY approach to cyber security, spending less than $500 a year.
A quarter of Australian small and medium businesses with PCs use outdated and vulnerable Windows 7 or an even older operating system.
“You’d be surprised how vulnerable some of these businesses are,” Dr Gupta said of customers her business had worked with.
“They’re using Windows 7 and they’re a pharmacy or accounting firm.”
The three main cyber risks faced by Australian small-to-medium enterprises (SMEs) are IT configuration and implementation errors, privacy risks because of poor data collection and cyber extortion or ransomware.
“Manufacturers are targeted for business critical information that is of use to competitors,” Dr Gupta said.
“Office365 is being exploited and attackers are sending out false invoices.”
ViCyber analysis on its customers shows the average estimated cyber loss for Australia’s small businesses is $50,000 per incident per location, with potential losses ranging from $25,000 to $200,000 depending on the nature and scope of the cyber incident and the company’s size.
ViCyber works with pharmacies, which change hands often, and the safety of their patients’ prescriptions and personal information becomes an afterthought.
The personal data is gold for a hacker to on-sell. Extortion threats after a ransomware infiltration are common for Australian small businesses too.
“The landscape is shifting, with new minimum standards set to be in place for businesses, but the threat of fines alone won’t make us more secure,” Dr Gupta said.
“Australia’s SMEs need solutions that are cost-effective and clear to understand.”
ViCyber says it can provide small businesses without a large IT budget the checks to ensure compliance with new regulations.
A government plan to ban ransom payments has been shelved for now, but other costs and regulations have been put on businesses in the wake of major hacks of Optus and Medibank.
Changes to the Privacy Act in 2022 implement fines for small companies that suffer “serious” or “repeated” data breaches from $15,000 up to $2.1m.
For large companies, fines start at $2.2m to whichever is the highest of: $50m, three times the financial benefit the hackers received from the breached data, or 30 per cent of the company’s adjusted turnover.
Small business owners have bemoaned the new penalties, but the loss of ongoing trade and reputation could well dwarf any penalties.
However, the financial cost to Medibank for its data being stolen in 2022 could be astronomical.
In proceedings filed in the Federal Court, the Office of the Australian Information Commissioner alleges contraventions of the Privacy Act for each of Medibank’s 9.7 million customers, the Australian Financial Review reports.
Medibank Private says it will defend the matter, but at $2.2m per customer, a comprehensive adverse finding could result in a $21.5 trillion fine.