It’s a sobering statistic. Nearly half of all cyber attacks target small business, according to a US survey. “It's easy to target SMEs because most of them have not locked their windows and doors and aren't listening to the Neighborhood Watch,” Roberts told the AICD in an interview.
“They haven't done the cyber security fundamentals. So most criminals can hit 50 to 100 SMEs and make some nice money. Online crime and fraud is very difficult to investigate, build a case and prosecute - it takes a long time.”
The Australian Cyber Security Centre (ACSC) received one cybercrime report every 10 minutes between July 2019 and June 2020, according to it’s Annual-Cyber-Threat-Report. The report shows that over the last year, the ACSC responded to 2,266 cyber security incidents and received 59,806 cybercrime reports, at an average of 164 cybercrime reports per day, or one report every 10 minutes.
Global online scams have increased this year due to COVID-19 with criminals taking advantage of the disruption and distraction of executives, says Roberts. “Because criminals follow the money, and Australia has a great economy, it is a target,” says Roberts, who is a former Deputy Director of US Naval Intelligence.
“What's important to understand is most cyber events that we see - around 70 to 80 per cent - are perpetrated by cyber criminals. This is just good old-fashioned crime and fraud that moved online.”
Australia spent a total of $5.6 billion on cyber security in 2020, which is projected to reach $7.6 billion by 2024, according to the Australian Cyber Security Growth Network.
In her interview, Roberts outlined what SMEs can do to protect themselves on the cyber front and why digital age risk is one of the biggest, gravest and most likely threats to impact companies, organisations and boards of all sizes.
What do the best boards and companies do in terms of cyber security?
Cyber risk is one of the biggest risks that businesses of all sizes face today. I would say that the majority of companies, especially SMEs, are really back at the starting line in identifying and mitigating these vulnerabilities. They may be thinking strategy, but in order to think strategy, you need to start with examining the digital age risks that impact your organisation the most. In other words, you look at the company or organisation’s key dependencies in the global digital environment. So for instance, if your members interact with you via your website and if your website's down for 48 to 72 hours, that can be a huge hit to your reputation, and/or your revenue. That's a key risk for the organisation. Or if you have a lot of client or member proprietary data, personal data, that's a key target and a key risk. So it's really teasing out what your linkages and dependencies are, then prioritizing those and mapping your strategy and limited resources to your most critical risks. Another area I think is equally important, is getting cyber liability insurance. So understand your key risks and mitigate those risks and put some resilience in place. You need to be covered for when you have a cyber event, so you are able to pay for response services and preparation of your communications and restoration campaign. The impact of any cyber breach can run between few hundred thousand to a few million dollars, depending upon the size of your organisation and how dramatic the breach was.
In terms of COVID-19 this year, what are the key cyber threat trends?
COVID-19 scams across businesses and organisations are rampant. What the criminals do is take advantage of a crisis and disruption, while your attention is pulled in a lot of different directions, which makes you and your employees more vulnerable to these scams. So you do need to focus on them, because you don't want to compound the impacts of COVID-19 to your business and employees with having a cyber event, a ransomware event, or a fraud perpetrated upon your business. So please do start taking those initial steps.
Is Zoom the new battleground in terms of cyber threats? Recently in Australia, a hedge fund had to close down after opening a fake Zoom invitation.
In terms of cyber risk at a national level, is Australia as a country up there high on the list, and is China a factor here?
Yes, Australia is a target for state actors, as is the US. There are state actors that have no rules when it comes to cyber espionage, or any kind of cyber disruption on private industry. You need to protect yourself, because in terms of Iran, North Korea and others, there are a cast of nation states that have no limitations regarding cybercrime and disruption.
In terms of directors, do boards need to have cyber specialists and do we need more in Australia?
I actually think it's more about having directors with a risk background. So yes, you may want a consultant and depending upon your company size, you might want to employ a cyber risk service, but on the board itself, I think it's about a 360-degree holistic perspective on risks impacting your operations, revenue and reputation. Which is why I think a lot of businesses are creating and hiring Chief Risk or Security Officers (CRO/CSO). When you just give the responsibility to the cyber guy or gal, or the IT director, you’re thinking of it in a one-dimensional way.
So, as an issue, cyber needs to be elevated to the board level, and needs to be covered by a specific strategy?
Absolutely. Digital age risk is a primary task and area of focus for all boards. And if they're not being reviewed regularly from risk identification, prioritisation and mitigation - they're not doing their job. The biggest losses over the last few years in the US started with the Target data breach in 2015. It was the first time that a CEO was fired and the first time that a breach really had an impact on their share price. And they have never totally recovered from that. So that was an awakening to the fact that this isn't just about cyber, this is business. And that it can impact even the big guys who have large teams of smart people. This is the New World Order and it's not going to change. It's only going to become more critical and impactful going forward. And it's never too late to start.
The Australian Government has this year published its Cyber Security Strategy 2020. What are the key takeaways for SMEs?
I think there's a lot of great enablement in Australia's 2020 cybersecurity strategy. For SMEs, I think it’s critical to focus on the fact there is going to be a holistic approach to recording cybercrime and fraud and disruption and to having the foundations in place. So it's never too soon to get started. It does take a little bit of time but the cost of the average event is between $1 million and $2 million and will impact on your organisation’s or company’s revenue bottom line. So, it’s important to get ahead of the regulatory curve by starting today and using that as a differentiator. And as you put protections in place, talk about it, get it out there and let your members and clients and customers know that you think digital age risk is important and that you're putting extra protections in place, regarding your services or their data sets. Use it to your advantage in the marketplace because most SMEs do not. It can put you ahead of your competition, if you think of it in a business-minded way. And then, it can work for you, not so much as a cost centre but as cost avoidance, and as a differentiator or a marketing tool.
What three pieces of advice would you give SMEs in terms of cyber security?
I think for SMEs, it is important to get ahead of digital age risks, because it really is about the real risk to your revenue and reputation. So firstly you need to engage your executive team, your management team and your board today. Secondly, identify the key risks to your company – for example, if you needed to be without something for 48 hours, or if you lost a dataset, what would be the impact to your company? Thirdly, get a cyber liability insurance policy not as the solution, but as a bridge until you get your plan in place, you have started to mitigate your risks, like with auto insurance, in case the worst happens.
The AICD has a number of cyber-related tools to assist boards and directors.