Top cybersecurity tips for SMEs this year

10 Oct 2024

3 min read time

At a glance

Cyberattacks pose a significant risk to businesses and they are on the rise.

According to the ASD Cyber Threat Report 2022-2023, cybercrime incidents have increased by 23 per cent compared to the previous reporting period, with A$46,000 the average cost to small businesses.

If businesses are successfully targeted by cybercriminals, they will need to navigate potential financial, operational and reputational damage, says Kristine Salgado, cyber broker leader – Pacific, Marsh Specialty.

“There’s the immediate financial impact, whether from legal fees or customer notification expenses if there’s been a privacy breach, or ransom payments, or loss of revenue from systems being down and businesses being unable to operate,” she says. “And if you have negative public perception, it can damage your brand, diminishing customer trust.”

What actions should SMEs take to protect themselves?

Salgado says cyberattack resilience falls into two “buckets” – pre-incident planning and post-incident response.

“Pre-incident is about looking at incident-response planning and testing,” she says.

An incident-response plan should outline the resources that may be needed in the event of an attack – whether the business will call on specialists for IT, forensic, legal, HR and/or public relations support, for example, and whether these resources are available internally or if external specialists need to be engaged.

It should also specify who will be responsible for decision-making, “particularly in relation to a ransomware matter, where things are often highly stressful and you've got some very tight timeframes to respond to the threat actors,” says Salgado.

Educating staff pre-incident is similarly critical. “Staff are your strongest line of defence, but also the weakest link,” says Salgado. “It takes just one staff member to click on a phishing link and you risk having your system compromised.”

She recommends running team training sessions every quarter to help staff maintain best-practice cyber hygiene. They should also understand what their regulatory requirements and responsibilities are if there is a breach of personal data. These may change when Privacy Act reforms are implemented this year.

Responding to a cyber incident

When a cyberattack does occur, the first step is to contain the incident. This means gathering as much information as possible about the cause, getting recovery backups online and considering any legal or regulatory repercussions – ensuring the relevant authorities are notified within the required timeframe.

“Essentially, you’re triaging the matter, making sure you can access recovery as soon as possible,” says Salgado.

If the business has prepared – and practised – its incident-response plan, this should be a straightforward process.

“During an incident, if it's the first time you've looked at a plan, or you don't even have a plan, it’s very stressful to manage, particularly for an SME,” says Salgado. “But if you have a plan, it sets out a solid and robust framework – even a flowchart – to follow, so you can tick off all the essential actions and know you’re not breaching any of your customer contracts and legal requirements.”

For businesses, maintaining a cyber-aware culture is key, because these days, cyberattacks are inevitable, says Salgado, adding: “How prepared you are will determine how quickly you recover.”

Disclaimer: This article should not be considered as legal, tax or financial advice. Readers should seek their own professional advice that takes into account their own personal circumstances.