According to the Australian Institute of Criminology, 34% (or 6.7 million) Australians have fallen victim to a cyberattack. If you’re following the news, you would’ve heard about data breaches affecting businesses – no matter the size. So it begs the question, are any businesses safe?
October is National Cyber Security Awareness Month, so this month we’re sharing insights on the alarming statistics surrounding cybersecurity as well as tips for businesses to promote cyber-savvy practices to protect themselves and their data. The rationale behind the annual awareness month is due to the notion of cybersecurity being often perceived by leaders as an afterthought or additional requirement, as opposed to a necessity. This perception extends in viewing cybersecurity as a highly technical process that must be outsourced to professionals.
This year’s evergreen theme to #BeCyberSmart encourages both individuals and businesses to own their part in protecting themselves against an attack and stressing the personal accountability and importance of taking proactive steps to enhance cybersecurity measures.
Barriers to Implementation
Firstly, let’s outline the why behind the lack of implementation and responsibility when it comes to implementing cybersecurity procedures and protocols. These transcend individuals, extending to some of the largest businesses in the world.
We’ve outlined the main barriers as:
Cost: Investing in cybersecurity is expensive, both in terms of network security as well as employee training. Although, it could be argued that the consequences of ignoring it are far more drastic. For instance, if cybercrime were a country, it would be the third-largest economy behind the USA and China and is predicted to inflict damages of $6 trillion USD by 2025. Cybercrime costs are expected to grow 15% YOY – representing the greatest transfer of economic wealth in history … need I say more?
Updating Legacy Infrastructure: Updating operations on legacy systems may seem easy for smaller businesses but for international businesses that have utilised the same systems for decades, failing to transition to newer infrastructure and update systems is their downfall. One of the simplest ways to be vulnerable to a cyberattack is by not keeping your software regularly updated. Although the process of transferring to a new system or process may seem daunting, ripping off the bandaid, in this case, is a necessity to avoid being targeted.
Specialised talent shortage: It’s no secret that there’s a shortage of qualified IT professionals, let alone those trained specifically in IT security, making it difficult to recruit this level of talent. Furthermore, escalating salary requirements can seem unattainable for smaller businesses. Consequently, many companies opt to simply skip the technical requirements for staying cyber-safe due to a lack of time and money.
Regularly Training Employees: Nearly 40% of data breaches are internal, so training employees on their security practices is crucial to mitigate this risk. As technology advances and hybrid work culture evolves, many employees and contractors opt to utilise personal devices for convenience, although this can easily expose confidential company information if these devices are then hacked.
Defining Cybercrime – Types of Attacks
With cybercrime increasing drastically each year, technology continues to evolve in its sophistication, fostering further opportunities to gain unauthorised access to IT data. There are countless different ways this can happen, let’s break them down simply:
Malware or Ransomeware: Malware is a type of application that once downloaded, performs a variety of malicious tasks. Some involve access to a network, others utilise screen-sharing to obtain credentials or other valuable data from the unsuspecting victim, whilst others simply cause disruption. Ransomware is one of the most notable forms whereby attackers manipulate the victim by encrypting their files and requesting a ransom payment in order to regain access.
Phishing: Probably the most common form of attack is phishing – we’ve all received an illegitimate email that seems… off. In this instance, the goal is to impersonate a bank, real estate or other trusted entity and request your credit card or other confidential credentials.
Password Attacks: As the name suggests, this type of cybercrime is increasingly prevalent and often effortless. Yes, changing your password monthly seems frivolous and unnecessary, but trust me – it’s not. There’s a range of technology available to essentially ‘crack’ a user’s password, so adding on a ‘123’ when prompted is not going to cut it.
Denial-of-service Attack: In a denial-of-service attack, a server or network is flooded with inbound traffic with the goal to exhaust resources and bandwidth. As a result, the system is unable to fulfil legitimate requests. In the instance an attacker utilises multiple compromised devices to launch this attack, a distributed-denial-of-service (DDoS) attack occurs.
DNS Attacks: DNS tunnelling is more sophisticated and occurs when organisations implement adequate security protocols but fail to monitor their DNS traffic for malicious activity. Attackers insert malware into these queries in which most firewalls cannot detect.
Man-in-the-middle attack (MITM): Albeit less common nowadays due to end-to-end encryption, MITM attacks involve a third party intercepting communication between individuals to obtain personal information.
Strategies to Enhance Cybersecurity
All in all, the lack of prioritisation of cybersecurity as a risk and ignorance towards to frequency of attacks is what lets most businesses down. We’ve shared strategies below to assist in kick-starting a culture of security awareness and empowerment for your team:
Train your Staff: Most businesses will host a one-off cybersecurity training session, although fall short on regular cadences. Similarly to fire drills, security sessions should be hosted regularly to ensure employees feel empowered to secure their data.
Update your Devices Regularly: Stay on top of updates – to the latest security software, web browser, and operating systems.
Double your Log-in Protection: Where possible, enable Multi-Factor authentication (MFA) using a trusted device or authentication token.
Change! Your! Password!: Yes your dog is cute, no he doesn’t need to be your password for the next decade. Utilise a password manager to pick the longest password, or passphrase, possible.
Act Cautiously: Not sure why your bank is requesting your credit card information via email? Give them a call. Once you discover a phishing email, report it via your email provider to help block suspicious emails in the future. You can also utilise spam filters in your inbox to further your security.
Always Encrypt: When sharing sensitive data or files, always encrypt them – at rest and in transit.
Back up your Data: In the instance of an attack, always ensure you’ve got an offline backup stored.
Do a Security Assessment: If you don’t feel equipped to understand the vulnerabilities in your software, outsource this to a professional. Utilising external security frameworks by cloud providers such as AWS is a great way to understand where you may need to increase your security protocols.
We’ve Got You
All in all, hopefully, this blog has filled you with the knowledge and motivation to go ahead and start prioritising cybersecurity. It starts with being informed, aware and empowered – and sharing that knowledge to build resilience in the online world.
Unfortunately, 43% of cyberattacks are targeted at smaller businesses, with an alarming 66% have experienced an attack in the past 12 months alone.
We all came from humble beginnings, and as a small business ourselves – we want to help. As such, for a limited time only we’re offering eligible startups an exclusive $10,000 AWS package including a FREE AWS Well-Architected Review (valued at $5000) and $5,000 of AWS credits for remediation.