At a glance
According to CrowdStrike, 67 per cent of Australian organisations suffered a ransomware attack in 2020 – 10 percentage points above the global average. With data breaches on the rise, particularly as the shift to remote work exposes gaps in security systems, it’s essential that businesses of all sizes prioritise cybersecurity.
Kieran Doyle, partner at specialist insurance law firm Wotton + Kearney, outlines 10 steps businesses can take to minimise their exposure to cybercrime.
- Secure your systems. Businesses don’t need to spend a fortune on IT security, Doyle says, as long as they follow a few fundamental best practices, such as installing anti-virus, anti-spyware and anti-spam filters on all devices and ensuring staff use complex and regularly updated passwords.
All software and systems should patch automatically to resolve any security flaws.
- Use multi-factor authentication. Protect sensitive data by using software that requires employees to enter multiple pieces of evidence to prove their identity, which confirms they are authorised to access certain accounts.
- Back up data. By performing regular back-ups, businesses can recover any information lost as the result of a cyber attack. Business.gov.au recommends using multiple methods (e.g. portable devices, external drives and cloud storage) for daily, end-of-week, quarterly and annual server back-ups.
- Protect your clients. Use a reputable payment gateway for online financial transactions and ensure personal customer information is encrypted and stored in a secure location. Businesses should be aware of their responsibilities under the Privacy Act.
- Examine third party providers. Beyond understanding their own data responsibilities, businesses must consider where they send data and who handles it.
Doyle suggests asking vendors, such as payment gateway or cloud storage providers, what security measures they have in place, adding, “We’re seeing more and more multi-party breaches, where one vendor’s attack affects multiple clients.”
- Declutter data. It’s not only crucial for businesses to know what data they have and where it’s stored, Doyle says, but also whether they still need it.
“We find that a lot of businesses get caught out because they don’t archive or delete data that they don’t need,” he explains. “All of a sudden if you have a data breach, you’re having to notify many people, some of whom won’t be clients anymore.”
- Create a cybersecurity plan. This should be reviewed and updated at least once a year, alongside other business continuity planning, Doyle says. “Keep the incident response plan simple,” he urges. “When an incident does occur, there’s no point having a 10-page plan that takes an hour to read and understand.”
- Educate employees. Provide training for staff around responsible use of data, devices, emails and websites. As Doyle explains: “Over 90 per cent of cyber incidents occur because an employee has clicked on a link in a phishing email or downloaded a document inadvertently that contains malware.”
- Defend your inbox. With accountants presenting an attractive target for cybercriminals, they’re easy prey for email compromises. By activating spam filters, businesses can reduce the frequency of spam and phishing emails.
- Invest in cybersecurity insurance. A cybersecurity policy not only gives financial peace of mind, it also gives businesses immediate access to a panel of specialists who can get them back on track after an attack much faster and more thoroughly than an IT provider – closing up any exploited vulnerabilities in the process. Doyle adds: “Make sure there’s a step in your cybersecurity plan to notify insurers or, at the very least, get a private security professional to assist from the outset.”