Since the major Optus data breach shook the Australian community, there isn’t a week without a new cyber incident making headlines and impacting Australian citizens and organisations.
In this environment, a number of SMBs are likely looking at ensuring their business is more cyber-safe in the future, especially knowing it can be much harder for a smaller organisation to recover from an attack, if at all. But it can be hard for business owners with little security knowledge to understand where to start. They first need to understand the main threats to their company to prioritise decisions that will efficiently increase their defences.
Let’s look more closely at five cyber risk factors that SMB leaders should consider when thinking about cyber security in 2023.
An unsafe digital ecosystem
Cyber incidents can sometimes originate from SMBs’ digital ecosystems. Data breaches such as Optus’, for example, impact individuals and small businesses. Ensuring this ecosystem is “clean” helps to be more cyber-safe. In choosing tech and digital services providers, small businesses want to verify they haven’t been (repeatedly) victims of cyber incident(s) in the past, but also how and which data they will collect and keep, and most importantly, how they protect it.
This can be achieved by establishing a third-party risk assessment program that is commensurate with the size, complexity, and criticality of the services they provide. This is about ensuring the resilience of their business and managing digital risk more effectively. SMEs should stay away from providers who are providing satisfying answers and guarantees.
Attacks on software supply chains
The software supply chain is an environment where developers work on developing digital applications and software. Once an update or new version is ready, it is deployed for public use (open source). Threat actors are increasingly trying to compromise open-source software in a bid to include malicious code or malware in one of those updates, thus potentially affecting all users.
SMEs using specific software or applications for their core daily operations should ensure providers are keeping their software supply chain safe. This should form part of the third-party risk assessment process.
Employees without cyber security awareness
When threat actors manage to compromise a business, they often do so by using social engineering tactics tricking employees into giving up their login details or sensitive information and data.
Often, large organisations provide their employees with basic training on identifying potential threats and avoiding them. However, many SMEs may have yet to make this a priority in the past and now want to put the emphasis on training their employees to recognise potential scams that could lead to breaches. Human error is still the largest enabler of successful cyber incidents. An educated workforce contributes to a safer business.
Collecting too much data
With promises to unlock marketing, customer experience and sales marvels, companies large and small have been collecting personal data from their target audiences. But here is the problem: in most cases, data is still the digital gold adversaries are after, and the more a business has it, the more attractive a target they are.
Data isn’t easy to protect, let alone in large volumes, and small businesses wanting to reduce their cyber risk in the future may want to consider a “data diet”. There is less leverage for a ransom when there is little to no valuable data to steal.
Unchecked cloud applications
It isn’t uncommon for individual employees or departments use cloud applications to optimise their day-to-day without letting IT or security teams know. Although cloud applications come with many benefits, they also come with risks. Each employee interacting with a cloud application is an instance that adversaries can leverage to penetrate the company’s systems.
For example, threat actors are now creating fake cloud applications disguised as business tools that offer users the possibility to link with their Microsoft or Google professional accounts. Once those fake apps are connected with Google Drives or Sharepoints, it is a gateway for adversaries to start stealing information and data without needing employees’ credentials.
As much as possible, small businesses should try to get a real-time understanding of all the cloud applications being used across their teams and departments and ensure there are no dodgy ones connected to their system.
More often than not, limited financial resources keep small businesses from building strong cyber security. The good news is that most of the recommendations in this article require a minimal budget. Good cyber security is just as much about processes and due diligence as it is about technology, and this only requires time. Hopefully this will help some small businesses be more cyber-ready next year.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.