Risky business: Why are some SMBs still not taking cybersecurity seriously?

For those SMBs struggling with cybersecurity, help is on its way. The Australian Government has announced a $18.2 million package to help understand how and where you need to improve cybersecurity resilience and your ability to respond to cyber-attacks.

If you’re in the SMB sector and all over cybersecurity already – well done. But it seems that the rest of the sector is falling short – hence the official federal leg up.

You’d have to wonder why, when the body of evidence about the dangers posed by cybercrime continues to grow, for some SMBs, it’s just not sinking in – and they’re leaving themselves dangerously vulnerable and exposed.

Why is that?

No – sorry, mate, but she won’t be right. The one thing no SMB owner can afford to do is be blasé about cybersecurity. There’s no room for complacency – it’s no longer a matter of if you’ll be attacked but when.

However, too few SMBs take cybersecurity seriously and, consequently, leave themselves dangerously vulnerable to attack. ‘Small Businesses Are More Frequent Targets Of Cyberattacks Than Larger Companies’ wrote Forbes in a recent article. And they reference a 2022 report which showed that small businesses are a staggering three times more likely to be targeted by cybercriminals than their larger counterparts.

In its latest (Nov 2023) Cyber Pulse Survey, the Australian Securities and Investments Commission (ASIC) identified that “an alarming number” of organisations are neglecting cyber security and that smaller organisations are most at risk. The top three threats to SMBs are phishing (26%), ransomware (17%), and business email compromise (13%). ASIC identified three specific areas for improvement for small organisations: supply chain risk management, data security, and consequence management.

In the ‘smart organisations’ section of its survey, ASIC called out these truly worrying SMB statistics:

Given the statistics above and the potential for attack, the SMB sector should be worried. The Australian Signals Directorate’s (ASD) Cyber Threat Report for 2022-2023 says there was one cyberattack on an Australian business reported every six minutes, a 23% rise in reported cybercrime, and that the average cost to a small business was AU$46,000.

Too many SMBs have allowed themselves to become easy and lucrative pickings for cybercriminals. But how – and why?

1. Underestimating attractiveness to criminals. Regardless of size, SMB data – like customer information or financial records – is as valuable as anyone else’s. And often less well-protected.
2. Not enough resources: Good (cybersecurity) people are hard to find and often unaffordable for an SMB – making it all the harder to set up robust defences. So, again, they are easier to target.
3. Slacker security: SMB cybersecurity is often not taken as seriously as it is by large corporations, and it’s hard to keep up with a rapidly evolving threat landscape. To note: Antivirus software alone is not a cybersecurity strategy – not even close.
4. Secret side door. SMBs are often entry points to larger organisations and act as inadvertent gateways for hackers.
5. Less awareness: Busy SMB owners/staff can be less attuned to cybersecurity best practices, making them more vulnerable to falling for phishing attacks or allowing malware to enter their systems.
6. Cost. There’s no two ways about it – cybersecurity tools and training are expensive. However, the financial and reputational costs of recovering from an attack and returning to business (if possible) are far greater.

In summary, it’s a combination of overconfidence, lack of awareness, corner-cutting, and an unwillingness or inability to invest.

We know it’s easy to offer advice when an SMB doesn’t have the capability or cash to implement, run, manage, and maintain a rock-solid cybersecurity strategy. And with the new but long overdue ‘govern’ function added to the list of NIST best practices, and likely to become law in Australia, it will become even more challenging for some.

The ACSC Essential Eight is an excellent guide to what you should be doing – at a minimum. However, in ASIC’s Cyber Pulse Survey 2023, they recommend that small organisations also consider:

In the same survey report, ASIC commented, “For many small organisations, outsourcing is essential to managing cyber risk. These relationships can become critical to their success.” Their key recommendation was for organisations to “engage a cyber security expert to evaluate the key cyber risks and implement an appropriate security standard.”

Developing and implementing a DIY cybersecurity strategy isn’t simple or often even possible when you’re both time-poor and resource-poor. And if you fail to meet the legal requirements to protect your customers, you can be hit with significant financial penalties at one end of the scale, lose customers, or shut down operations at the other. As far as we’re concerned, none of these outcomes is acceptable.

Here at Colton Computer Technologies, cybersecurity is our middle name. (Or it would be if we had one).

Our proactive Managed Detection and Response (MDR) service is designed to provide you with worry-free 24/7 coverage supported by a team of highly trained cybersecurity professionals. And everything we do helps you comply with both company and government policies.

We turn Steal My Business, into Secure My Business. Give us a call – we give good advice (even if we say so ourselves).