The impact of cyber-attacks on small business

As the world becomes increasingly enabled through technology and continual connection, businesses — both large and small — must take precautions against being compromised through online platforms.

This is a critical business risk, and research from the Australian Small Business and Family Enterprise Ombudsman paints a grim picture. Small businesses represented 43 percent of all cyber-attacks last year. In the spate of ransomware attacks that occurred in 2017, 22 percent of affected businesses could not continue operating.

In this piece we’re going to look at some of the main points of entry for criminals using online platforms and services.

Email phishing attacks are hoax emails, designed and worded to appear from a trustworthy source, such as a bank or other financial institution. They aim to entice you to click on a malicious link that can lead to a viral infection of your systems, or ask you to input data — such as your login credentials for your bank — which is then taken and used illegally. Australian banks regularly send out updates via email or posted on their website warning of any fraudulent emails that may be in circulating at any given time.

Malware is a piece of software sent to you that, if opened or run, infects your machine or network with software. This can then be used to skim info from keyboards as keys are pressed, or provide external access to an unauthorised user in a remote location.

Ransomware is delivered as above, but then locks your system or network down until a ransom is paid to restore access.

A denial of service attack bombards your network with requests and locks up your system from functioning normally. This is often used by groups such as the hacker group Anonymous to shut down targeted websites.

Fewer than one in three business with less than 100 employees take active measures against cyber security breaches, and 87 percent of small businesses believe antivirus software alone is enough to protect them from the above. This is often not the case.

The first thing to examine is the potential entry points for attacks into your system and this can include point of sale systems, mobile devices used by staff, or allowing people to dial into your systems using a virtual private network (VPN). Once you are aware of where your business may be exposed, you can take appropriate action. 

What can you do?

The goal for most cyber-attacks is the collection of data, so the first thing to do is to make sure you have offsite copies of all your critical records. Running data backups daily, or throughout the day, will allow you to restore your system should it become compromised.

If your employees are using mobile devices provided by the company, you can set up network restrictions that don’t allow them to access services like online banking, or your network. This will prevent accidental loss of a device potentially opening a route to your information.

Consider implementing two-step security on your devices or network, meaning that both a password and a code, sent via email or SMS, will be required to access the network.

Impacts beyond data loss

There is an incorrect assumption that a cyber-attacks will cause potential damage to systems, and only technology will be affected, but the impacts can be far greater.

There are insurance policies that cover some aspects of a cyber-attack, but once an attack occurs and the damage is analysed, there will almost certainly be areas that are not covered. A potential attack could compromise your data, your premises, your clients’ data, your ability to operate, or your reputation within your business network, or with the regulator. Depending on the collateral damage, some of it will be covered, while some will almost certainly not be. It is important to speak to a risk adviser in detail about the risks that your business faces, so that appropriate cover can be expolred.