Practical cyber risk management for SMEs

This article was first published in the June 2021 edition of the LexisNexis Risk Management Today.

Malicious cyber activity against Australian individuals, businesses and government agencies is on the rise, with the Australian Cyber Security Centre (ACSC) noting that cybercrime is one of the most pervasive threats facing Australia, costing the Australian economy up to $29 billion annually.

Whilst the threat of cybercrime continues to increase, the general awareness and resilience of individuals and businesses remains low, particularly amongst small and medium enterprises (SMEs).

In this article we outline the common cyber threats faced by SMEs, the various obligations SMEs may owe in the event they are a victim of cybercrime, and outline our top tips to mitigate the risk of cyber attacks.

What’s the risk?

Privacy protection

The misuse, loss or unlawful disclosure of personal information can have serious consequences and it is essential that SMEs understand their obligations regarding integrity and confidentiality under data protection laws.

The Australian Privacy Principles determine how entities must handle, use and manage personal information. But what is “personal information”? Even for entity that is not required to comply with the Privacy Act 1988 (Cth), the general guidelines are good risk management.

The Privacy Act defines “personal information” as “information or an opinion about an identified individual, or an individual who is reasonably identifiable”. This may include a person’s name, address, telephone number or bank account details. Sensitive information - such as a person’s race or religion - is afforded even greater protection. The definition is format-neutral and can have unintended application - for example collecting photographs can record ethnicity, which is
sensitive and requires higher protection.

A data breach is when information is compromised and has or is likely to result in serious harm to an individual. Given its potential to ruin your reputation, it’s no wonder businesses have kept quiet about breaches in the past. Why would you report a hack when you have so much to lose?

With the introduction of the notifiable data breaches scheme on 22 February 2018, most businesses now have no choice but to report cyber breaches to the Office of the Australian Information Commissioner (OAIC).

Failure to notify a breach may result in enforcement action by the OAIC. Where there’s serious or repeated interference, civil penalties may also apply. SMEs may also be liable under general law (such as employment, contract, tort or consumer law) for certain breaches.

From July to December 2020, the OAIC received 539 notifications with 58% of these incidents occurring as a result of malicious cyber attacks.

BEC frauds

Whilst privacy protection remains an important issue, SMEs also face another significant threat - business email compromise (BEC) frauds.

BEC frauds are the most common form of cyber attack against SMEs, and usually occur as a result of a security breach of the businesses’ computer network (or that of a third party) as a result of phishing attacks, email spoofing or through social engineering techniques.

The hackers then leverage access to the businesses’ email systems to:

• impersonate the business and issue fraudulent emails which contain malicious phishing links (mass distribution) or
• issue fraudulent transfer instructions to induce the transfer of funds or sensitive information (payment redirection fraud).

Given BEC frauds usually occur as a result of a breach of the businesses’ email systems, this can have serious privacy consequences. This risk is amplified mass distribution cases with thousands of recipients becoming aware of a potential data breach on the businesses’ systems.

The threat is more immediate in the event of a payment redirection fraud, with the SME either suffering a loss of its own funds or those of its clients (which will attract potential liabilities).

In the 2019/20 financial year there were 4255 incidents of payment redirection frauds reported to the ACSC, representing losses of over $142 million. Unfortunately, industry experts consider this is just the tip of the iceberg, with many victims failing to report these crimes and BEC frauds on the rise.

Ransomware

Whilst these attacks occur less frequently than either variant of BEC frauds, ransomware attacks remain the greatest direct financial threat to SMEs.

Ransomware is a form of malware that infects a network and encrypts your files. A ransom note is commonly displayed providing instructions for the payment of cryptocurrency in return for the decryption tool.

These encryptions are incredibly sophisticated and in most circumstances cannot be “cracked” without a decryption key. This means that if clean, up to date back-ups are not in place, an SME will effectively screech to a standstill, with little prospects of returning to usual business until the files are restored.

If back-ups are available this can be a straight forward process with the system cleaned and rebuilt with existing files, however if this is not possible it may be necessary to engage data decryption specialists or, as a last resort, the hackers themselves.

Not only can ransomware attacks result in substantial IT consultant costs in the assessment, decryption and restoration of the SME’s computer systems, but they often lead to significant business interruption. To put it simply, if proper systems are not in place, ransomware attacks are business killers.

What you can do

Whilst SMEs face a significant and increasing threat of cybercrime, there are a number of simple process steps SMEs can take to limit the risk of falling victim to cybercriminals:

1. Look for red flags in suspicious emails.
Whilst these attacks can be sophisticated, BEC frauds still rely on an employee or agent of the third party to execute the funds transfer. Therefore it is important that employees be aware of the following “red flags” that may indicate a BEC fraud:

• The sender purports to be someone in a position of authority, particularly if such a person wouldn’t normally issue payment requests.
• Email requests urgent payment or threatens consequences if payment isn’t made (often from an email that looks like the client’s email - but say with an exttra letter added - see what we just did there?).
• A vendor has provided new bank details.
• The sender requests payment of an invoice outside of the usual payment cycle or the invoice amount is larger than usual.

2. Always confirm account details over the phone before processing funds transfers.
This simple measure can almost entirely eliminate the risk of funds being misappropriated as a result of a BEC fraud. It is important to use contact details not contained solely in recent or suspicious emails, but to use contact details kept on file. Employees should always keep a note of the call confirming these account details as it will be relevant to establishing that reasonable steps were taken to avoid the risk of misappropriation in the unfortunate event that funds are lost.

3. Ensure multi-factor authentication (MFA) is enabled.
Whilst cybercriminals can employ a variety of techniques to attempt to access your computer network (phishing, malware, social engineering, brute force attacks) MFA creates a layered defence system which greatly reduces the likelihood of cybercriminals successfully hacking the network. MFA can be incorporated into most essential business programs and is an existing feature on systems like Office 365. If MFA is not enabled on your businesses’ computer network, we encourage you to contact your IT security provider.

4. Ensure regular software updates and patching occurs.
All businesses, regardless of size, should ensure that optimal business security and anti-virus protection software is installed on each device within the company’s computer network.

Whilst installing security software is important, cybercriminals can detect and exploit security holes or software vulnerabilities that may exist in ageing systems. Such security flaws can leave the computer network exposed to malware or other forms of attack.

Regular software updates and patching is important to guarantee that security flaws are removed, ensuring the ongoing effectiveness of your IT security systems.

5. Conduct an annual cyber security audit.
In addition to ensuring regular software updates and patching, it is important that the company engages in annual security audits to identify potential weaknesses in the existing IT security systems. These audits should involve penetration and awareness testing, security review and ensuring back-up systems and protocols are functioning effectively. Whilst security audits can be handled internally, best practice is to have external IT consultants conduct the audit to accurately test the strength of existing systems.

6. Formulate a cyber incident and privacy breach response plan.
A serious cyber incident will often catch a business unaware, resulting in confusion and delays which can worsen the impact of the incident. In order to ensure you are able to manage a cyber incident effectively, prepare a cyber incident response plan and privacy breach response plan, which can be accessed by all employees.

These plans should clearly outline the immediate steps which should be taken in response to a cyber incident, including:

• appointment of IT consultants to assess the extent of the incident
• identification of important data and critical systems
• key roles and responsibilities, including internal notification protocols
• stakeholder communication protocols (public relations and media management)
• reporting obligations (particularly under the Privacy Act)

Any cyber incident response plan or privacy breach response plan should include notification to your cyber insurer (if applicable) and a hard copy should be kept on site.

7. Set up workflow procedures to comply with these security measures.
Whilst taking these steps will reduce the risk of an SME falling victim to cybercrime, it will all be for naught if the employees are not aware of, and follow, these measures. As outlined above, human error or oversight is a key factor in most cyber attacks.

It is essential that SMEs institute training and workflow procedures that ensure their employees are aware of the threats faced from cybercrime and the steps they must take to avoid it.

8. Consider cyber insurance, which can pay to recover lost systems (but not data) and consequential loss, including privacy claims.

Importantly, no organisation should rely on technical defences alone, there is also a critical human line of defence. Any technical procedure can be missed by bored or alienated people within your organisation, and two employees acting together can easily defraud the most sophisticated technical lines of defence because they know the procedures.

Generally, you should trust but verify.