Is Your Small Business Protected? Cyber Security Tips You Need to Know
RSM talkBIG – Cyber security and IT for small business | With Darren Booth | S2 E8
Let's face it, cyber attacks have become so common that you can barely turn on the news without hearing about some sort of massive data breach. But don't worry, RSM is here to help. For this talkBIG episode, hosts Andrew, Young, and Chris sat down with RSM's National Head of Cyber Security and Privacy Risk Services, Darren Booth, to uncover some startling truths about the seedy underworld of cybercrime and how businesses can protect themselves from cybercriminals.
You'll be surprised to learn that your hacker is more likely to be working 9-5 in a call centre run by organised criminals than a teenage hacker operating out of their parents' basement. Plus, did you know that people and processes can be a bigger risk than your IT system?
With the recent data breaches of major Australian companies like Optus and Medibank still fresh in our minds, it's more important than ever to learn about the risks and how to protect your sensitive information. And maybe it's time to reconsider whether you need to keep some of that customer data in the first place.
If you're worried that tech talk will go over your head, don't! Darren and the talkBIG crew break it down in an easy conversational style that you'll love listening to. They cover some great tips on where to start with cyber security, how people actually get hacked (you might be surprised!), whether cyber insurance is worth it, and the consequences for a business that experiences a breach.
So what are you waiting for? Tune in now and get cyber smart with RSM and the talkBIG crew!
Highlights from the episode:
Why should cyber security be a top concern for small business owners?
Is cyber security expensive?
What is a good place for businesses to start with cyber security?
What does a data breach look like and how does it happen?
Does the size of your business affect your cyber security risk?
Cyber criminals aren’t teenage hackers – this is organised crime
What are the risks or consequences for a business who tries to hide a data breach?
What is cyber insurance and who needs it?
Do businesses need to change the way they collect customer data?
Transcript
00:00:00:20 - 00:00:25:14
Andrew Sykes
Hello, everybody, and welcome to the RSM talkBIG podcast. I'm your host today, Andrew Sykes. And I'm joined in the studio by Young Han.
Young Han.
How are you?
Andrew Sykes
And Chris Oates.
Chris Oates
G'day, everyone.
Andrew Sykes
We are your regular talkBIG team. Today we're going to have a chat about cyber security and we're joined by Darren Booth, who is RSM’s national head of cyber security and privacy risk services.
00:00:26:04 - 00:00:27:00
Andrew Sykes
G'day Darren, how are you?
00:00:27:18 - 00:00:29:05
Darren Booth
Yeah, very well, thank you. And yourself?
Why should cyber security be a top concern for small business owners?
00:00:29:10 - 00:00:44:07
Andrew Sykes
Good, mate, good. Looking forward to sharing some insights into cyber security and IT and particularly for small business. It would be great to hear about some of the risks involved and how businesses can protect themselves.
00:00:45:10 - 00:01:03:21
Darren Booth
Yeah, look, it's definitely headline news for us for the past couple of months in relation to the big breaches that you get at, you know, your Optus and your Medibank. There's nothing like the two biggest breaches in Australian history to bring it to everyone's attention is, you know, cyber security is there and it's not going away.
00:01:04:19 - 00:01:31:04
Darren Booth
But you're exactly right, it applies to all sizes of businesses. So it's not just your big businesses, it's the small ones as well. An attacker doesn't necessarily care whether you're big or small. They just care that you've got some information and you've got some weak systems potentially that they can breach, then they sort of exploit that and use that to really hold you to ransom.
00:01:31:04 - 00:01:37:20
Darren Booth
So small businesses really need to keep this front and centre, just like the big businesses do as well.
00:01:38:03 - 00:02:02:17
Young Han.
I think it's actually that small business are at bigger risk because the big organisations, obviously they've got the resources and, you know, capital to invest in it and have a better system and processes in place to protect them from cyber attack. Whereas the small - medium enterprises, they’re just really busy doing daily operations of, you know, right now I need to address this issue.
00:02:02:17 - 00:02:10:23
Young Han.
So I think often people just neglect it and think that it's good to have. But I just don't have time or money to invest in it now.
00:02:10:23 - 00:02:44:10
Darren Booth
You're right. You're right. And, you know, any system that you've got could have a vulnerability. Typically, what we do find is for small businesses, at least, they're not as complicated technology systems. So obviously the larger you get, usually the more complicated your I.T. environment becomes. So on a on a positive: if you're a small business, you probably know and are able to get a good handle on what systems you've got, and who's accessing their systems from a user perspective.
00:02:44:19 - 00:03:05:20
Darren Booth
So those are positives. That really means that if you do spend a little bit of time and effort, you can probably get some real good bang for your buck in relation to updating the security; because you actually know what systems to harden and where to actually focus that effort based on your knowledge of the systems that you're working with day in, day out.
Is cyber security expensive?
00:03:06:12 - 00:03:20:09
Andrew Sykes
Yeah, that's a great point. And something we've been trying to impress in some other podcasts where we've touched on this is: cyber security doesn't have to be expensive. But being safe is not expensive, is it?
00:03:21:15 - 00:03:42:05
Darren Booth
No, it's not. And, you know, definitely there is there's plenty of tools out there that are expensive and there's plenty of people that will happily take people's money in relation to it. But it doesn't have to be expensive. It doesn't. And it comes down to some of the real fundamentals in relation to security. So, things like anti-malware.
00:03:42:11 - 00:04:18:22
Darren Booth
So, you just have a piece of software on your I.T equipment that basically detects and prevents malware from being installed. And that can be, 100 bucks, 200 bucks a year; pretty cheap in relation to what it is. If you're looking at your email, you can turn on what's called multi-factor authentication, which is basically a two-step approach to authenticating to your email if you're accessing it remotely.
00:04:20:08 - 00:04:47:22
Darren Booth
And that's free for a lot of systems. If you're using Microsoft or Google, it's a free step that you basically just need to turn on. It's as simple as that. Once it's turned on, you know, the statistics basically say it stops by 99.8% of all attacks that could be targeting your email systems just because it's simple as enabling, that second step of authentication.
00:04:48:08 - 00:05:12:21
Darren Booth
So these aren't expensive things, but they're important to spend a little bit of time just to make sure that you actually do have them. Because they can really get some real quick returns. And once they're enabled, you can actually sort of set and forget. It's not like every single time you're having to remember “Oh, I need to turn all my MFA.” You turn it on and it just runs in the background and it does its thing.
00:05:12:21 - 00:05:23:13
Darren Booth
It checks what you're doing. It asks you for prompts automatically. It's really something that once you've done it, you don't actually really need to worry about it again.
What is a good place for businesses to start with cyber security?
00:05:23:13 - 00:05:35:12
Andrew Sykes
So, Darren, what you're saying is that cyber security is not just about installing expensive software. It can be around your processes and how you use your existing software. Is that correct?
00:05:36:16 - 00:06:12:18
Darren Booth
Yeah, definitely. We break it down into people, processes and technology. And you could look at each one of those separately in relation to how you use them to your advantage in relation to cyber security.
So we've talked a little bit around the technology side of things, but if you look at people; people are actually one of the key risks in relation to cyber security Because it actually takes a person to click on a link or it takes a person to enter a password. If they're doing those somewhere that is a malicious website; that's a security issue.
00:06:12:18 - 00:06:42:15
Darren Booth
So it's really around training and awareness for people in relation to: How do you know what you're doing is secure? What are the red flags to look for? And there's lots of training programs to get. You get access to YouTube videos that give you some awareness in relation to what are the key things to look out for.
00:06:42:15 - 00:07:06:07
Darren Booth
And really, that people side of things can be a real differentiator in relation to lines of defence. If you think about your bank account, you're probably pretty sensitive around giving out your password for bank accounts and logging into your banking app. That sort of diligence can be applied in relation to other things you do in relation to your business. So just having that front of mind can be a real game changer in uplifting your security.
00:07:06:12 - 00:07:29:00
Darren Booth
The process side of things… Again, a lot of process things are free or cheap to do and it's really just around changing some of those businesses habits such that, you know, whenever you're doing things you might add an extra step. So for example, if a vendor emails you through to say, ‘Oh, I've updated my invoice details, can I please pay this bank account?’
00:07:29:15 - 00:07:46:12
Darren Booth
Well, the extra step you put into that process is you pick up the phone and you call them. You say, ‘I've just got this message. Just want to check that that's actually the case’. You can then spend that time actually talking about other things as well. But it adds an extra layer of security into what you're doing.
00:07:46:12 - 00:07:50:03
Darren Booth
And really that extra layer of protection is great for small businesses.
00:07:50:03 - 00:08:00:15
Andrew Sykes
So you could go in and talk to one of my clients and just walk them through, ‘Here's how we can keep you safe’ - just by changing what they're doing.
00:08:00:15 - 00:08:31:16
Darren Booth
Yeah, definitely. You know, it's really just talking to people around, ‘What are you doing and what are those processes you've got?’ or ‘What are those technologies that you're using?’ And we can talk to them around, ‘Well, if you change this or do this differently,’ , even what seem like small things can actually result in a real step change from a protection perspective.
00:08:31:22 - 00:08:36:03
Darren Booth
And those changes, like you said, are pretty quick to do a lot of the time. Quite cheap to do. It's just around knowing that they need to be done.
What does a data breach look like and how does it happen?
00:08:37:00 - 00:08:49:05
Chris Oates
And when looking so you can go into the business and sort of do the work. But beforehand, what should the business look for? What does a data breach look like and how do they actually happen?
00:08:49:05 - 00:09:20:13
Darren Booth
Oh, that's a good question. And there's lots of different breaches that are out there. I think from a small business perspective, there's probably two or three key ones, though.
Business email compromise
There's business email compromise, as it's called, and that's basically where either your email or someone else's email has been breached. And as part of that, that means that then someone is sending emails, or able to read emails, in relation to what's going on in the business.
00:09:21:00 - 00:09:40:15
Darren Booth
Now, reading the email by itself may not cause a huge issue, but if as part of reading the email, they know that things are happening...for example, they know that you're in the process of buying some new...
00:09:40:15 - 00:09:56:18
Young Han.
Property! Yeah, we’ve seen with property some cases where they were about to settle and then you had to send it to the other account. And you know, they got into it somehow or they know they were doing it and then they just changed the bank account details so they sent the money into the wrong account.
00:09:58:00 - 00:10:37:19
Darren Booth
Yeah. So with something like property, if you think about who was involved, there's the estate agents, there's the lawyers, there's the vendors, there's suppliers, there's conveyancers. You know, there's a lot of people involved in that. So if you have a business email compromised in one of those, that that can result in a weakness that someone could then intercept. They could then send an email on behalf of someone else, like I said earlier, in relation to changing an invoice and suddenly you've got a large amount of money that's being paid - that's going to the criminal as opposed to going to where it should be from a property perspective.
00:10:37:19 - 00:10:58:22
Darren Booth
And the same principles apply to other things that businesses are transacting in. If you're a small business, you'll have lots of things that you're buying on a day-to-day basis. And it just requires one of those vendors to have a breach and then that then has a knock-on effect with you, even though it actually is not necessarily your fault.
00:10:58:22 - 00:11:20:22
Darren Booth
So that's the type of thing that you just need to be aware of. So the business email compromise is really one of those ones that is still prevalent in in Australia. And it's probably one of the number one breaches for small businesses. But also like I said earlier in relation to multi-factor authentication; it's actually one of the easier ones to protect against as well, if you do it properly.
Malware and viruses
00:11:20:22 - 00:11:45:06
Darren Booth
Then you then get into some of the malware or viruses that are out there. And that can be where you're just too busy, you're in the day job doing what needs to be done in relation to keeping the business going. And you get the pop up that says, please install this security update.
00:11:45:07 - 00:12:08:20
Darren Booth
You're like, ‘Oh it’s too hard’ or ‘That'll take me offline for the next 20 minutes. I don't want to do that. I'm just going to not install an update’. Then a day goes past, a week goes past, a couple of months goes past… and suddenly then there are publicly available exploits that can be used against that vulnerability.
00:12:08:20 - 00:12:32:18
Darren Booth
And you know, you can go on to the chat channels on the dark web and buy a vulnerability for $10. You can then as a criminal, then sort of send that out to some people and see whether or not it affects their systems. And if it does, then that's when they get in and that's when they start doing things either to bring your systems down or getting your data out.
00:12:33:14 - 00:12:54:10
Darren Booth
Both have a slightly different impact. But, from a reputation perspective, you're a small business. That reputation can be priceless if you do have a breach. Again, that's not necessarily a big thing, but it can be something that just needs to be front and centre of, well, if I don't do this update, what's the impact? And just realise…
Does the size of your business affect your cyber security risk?
00:12:55:08 - 00:13:19:02
Andrew Sykes
Really interesting, Darren. What's interesting to me - and what I'm thinking of while you're saying that is that I personally have thought, ‘Oh, I'm too small. Why would anybody bother with my data? And I think a lot of small business people would think along those same lines. But now the businesses are holding so much data. And yeah, what you're saying is that they can divert payments.
00:13:19:02 - 00:13:21:08
Andrew Sykes
It doesn't matter how small the business is, does it?
00:13:22:16 - 00:13:45:20
Darren Booth
No, it doesn't. And I think, you know, five years ago, there definitely used to be a ‘She'll be right,’ sort of attitude in Australia in relation to security. And I think the breaches like your Optus and your Medibank definitely bring it to life for the larger businesses. I still think for some smaller businesses, like you said, they still think ‘We're too small. Why would anyone attack us?’
00:13:46:03 - 00:14:08:22
Darren Booth
And what they've got to realize is they're actually not trying to attack you. What they're doing is taking a shotgun approach of just sending this exploit out to, you know, a couple of thousand computer systems and seeing which one is vulnerable to it. So they don't know that you're a small business. They don't even know what you do.
00:14:09:18 - 00:14:38:07
Darren Booth
All they see is a computer and they’re seeing whether or not their exploit is going to have an impact on that computer. So, you know, that's the bit I think people need to understand is that you're right, you may not be a target; but they're not trying to target you. You're caught because they're there. They're just going for anyone who's vulnerable, not necessarily going, well, this is the particular segment or sector that we're actually trying to attack.
00:14:38:13 - 00:14:45:20
Andrew Sykes
So they don't know whether they're going for a large company or versus just a small business, small local business?
00:14:46:00 - 00:14:57:12
Young Han
It's like a note that is saying there is something wrong with you or something is going to go wrong. You’re exposed to the risk and you’re just waiting for someone to respond and then they get into it.
00:14:58:05 - 00:15:26:04
Darren Booth
Yeah, exactly. Like, if you think of the text messages that you probably all get, everyone gets sort of the spam text messages that ‘you've got a parcel; or ‘your bank account or your PayPal.’ That's just being spread out to as many mobile phone numbers that they can get their hands on. All they're doing is hoping that someone clicks on it. And it's a very similar approach in relation to businesses, in relation to some of the security on their systems.
00:15:27:05 - 00:15:51:19
Darren Booth
The attacks are really just trying to find anyone. Once they find someone, then they start going, right, well, who have we got, what have we got? And that's the point where they then start doing some investigation.
Cyber criminals aren't teenage hackers – this is organised crime
00:15:52:05 - 00:16:16:05
Darren Booth
And these attackers aren't kids that sort of sit in a bedroom with all the lights turned off. They are businesses, like they are criminal businesses with call centres and people working 9 to 5. They are treated like a business in relation to what they're doing. And all they're doing is sort of trawling through saying, ‘Well this particular vulnerability has worked; what does that mean?’ They're then sort of going through and working through that and then moving on to the next one.
00:16:16:13 - 00:16:29:13
Darren Booth
You've got to realize that you're up against a business who's really making money out of exploiting the vulnerabilities that you may have.
00:16:29:22 - 00:16:54:14
Andrew Sykes
Yes, these could be businesses that employ hundreds of people doing this, which probably demonstrates why they’re getting so good. Because I got one last year. It was an Australia Post text message and I was expecting a delivery on that day. And so I clicked on to the link and I paused when it asked me. The message came up and said, “We can't deliver your parcel. We need you to make payment.” And I went, ‘Oh, this has got to be a scam!’
00:16:54:14 - 00:17:07:24
Andrew Sykes
Do you know how did they get it so good? It looked like Australia Post. It felt like it was legitimate and I was getting a parcel delivered that day.
00:17:09:06 - 00:17:58:18
Darren Booth
Look, I think the fact you were getting a parcel delivered that day was just pure chance. You know, the reality is given COVID, everyone is doing a lot more online shopping and getting a lot more deliveries than what they were before that. And the bit where they've got better is designing the messages better. So it used to be the case of, you know, you’d know that it was a spam or a spoof text message because the English grammar was bad or they spelt the name of the company wrong, They've matured to get some of those messages a lot better.
00:17:58:18 - 00:18:14:10
Darren Booth
And some of the sophistication that they use there in relation to doing pop ups that actually look and feel like the actual real thing is just them spending more time and effort on monetizing - that time and effort - to try and sort of get more success rates.
What are the risks or consequences for a business who tries to hide a data breach?
00:18:15:00 - 00:18:38:14
Chris Oates
And you mentioned before about the Australian attitude of, ‘She'll be right.’ The amount of times people have had their email compromised and they think ‘I’ll change the password and that'll fix the problem,’ Personally, that's okay and I do it too.
00:18:38:14 - 00:18:44:19
Chris Oates
But in a business, what are the requirements to report the breach? And if you try to hide it from your customers and just sort of say, ‘Oh we fixed that. Let’s just not tell anybody.’ What's the outcome? Is there any consequences or punishments?
00:18:46:10 - 00:19:18:14
Darren Booth
Yeah. So you're bound by the Australian Privacy Act, which applies to businesses that have annual turnover of over $3 million. So if you're below that threshold, then you technically don't need to comply or report a particular breach. If you're over $3 million turnover, that's when the Privacy Act comes into play. There's basically an outline of privacy principles that sort of say ‘How do you collect information?, How do you use that information? How do you destroy that information?’
00:19:18:21 - 00:19:51:17
Darren Booth
And as part of that, if you then have a breach, you then need to report to the office of the Information Commissioner that you've had a breach and this is what the impact is of that breach to your customers. And you need to do that within 28 days of identifying it’s having an impact. So you know there's definitely some legislation there, depending on the size of the business.
00:19:52:23 - 00:20:01:20
Darren Booth
And then as part of that, there's some guidelines as to what you should be doing in relation to notifying your customers and notifying the regulators in relation to it.
What is cyber insurance and who needs it?
00:20:02:10 - 00:20:27:12
Young Han
So sounds like there's definitely financial reputation and financial damages to the company if it doesn't follow up properly. Just like any other business insurance. I know there is a something you call cyber insurance, cyber security insurance. What does it actually do and who actually needs to consider taking it?
00:20:27:12 - 00:20:58:24
Darren Booth
Yeah, look, cyber insurance has been around for a few years. And again, has evolved over that time. I think it's now relatively mainstream - in relation to people are aware of it. Where it has however changed in the past, probably 12 to 24 months is that it’s become a lot more expensive. And the caveats or exclusions that are in those policies have actually become broader.
00:20:58:24 - 00:21:43:23
Darren Booth
So you really need to understand what are the pros and cons in relation to that security and what insurance and what are you covered for and what are you not covered for as to whether or not you need it. If you're dealing with lots of customers and, you know, quite sensitive information in relation to their personal information, whether that be driving licenses or passports or credit card numbers; that might mean that it's more necessary for you to have it. Versus a business that, really all they're collecting might be a name and address, a telephone number that might not require them to have that sort of insurance from a people perspective.
00:21:43:23 - 00:22:17:01
Darren Booth
The cyber insurance also does help in relation to if your systems are brought down, do you have to rebuild your systems or do you have a revenue impact in relation to that? Some insurance policies cover that as well. So it's not just the notifying to the customers, it's also the disruption to the business as well. And some of the investigations that may need to be done. The cyber insurance can kick in and cover some of those costs.
00:22:18:14 - 00:23:01:22
Darren Booth
But yeah, like I said, the exclusions are the bit that really need to be looked at. Things like an act of war in relation to a cyber event is excluded in a lot of policies. If you say that your systems are secure and there's some of the basics that you're not doing, then that can come back where the insurance policy basically says, ‘Well, you didn't take enough due diligence and therefore we're not covering you because you said that you had the basic things in place and you didn't’. So that's just a due diligence that needs to be done - like an insurance policy - just as to what's being covered. And do you actually meet the criteria for that coverage.
Do businesses need to change the way they collect customer data?
00:23:01:22 - 00:23:30:23
Chris Oates
And with having the insurance for when the issue does come up... You mentioned the collection of data and the way it’s changing for what businesses need to keep or what they get from the clients. And I think we talk about the penalties for having the privacy breaches has increased so much. Should a business change how they're collecting data and what they're doing with it, and does that give the protection as well?
00:23:30:23 - 00:23:32:02
Andrew Sykes
And what they keep?
00:23:32:07 - 00:23:32:16
Chris Oates
Yeah.
00:23:34:00 - 00:23:53:22
Darren Booth
Yeah. And again, that's probably something that's changed over the past couple of years. So there used to be an approach, even two or three years ago of data is the new oil. And the more data we have, the better we can mine that and the more value that we can get out of it.
00:23:54:07 - 00:24:13:20
Darren Booth
So a lot of businesses were basically just getting whatever information we can get. We're going to get it. We're going to keep it. There's very much a realization now that if you don't need something though, don't keep it. If you don't need to keep the driving license or the passport or the credit card number, then don't keep it.
00:24:14:01 - 00:24:37:01
Darren Booth
Because if you do have a breach and you do have that information and that information gets leaked as part of the breach, then that's a far bigger impact in relation to your business and your customers. What we're seeing a lot of organizations go through at the moment is a review of what data they've got and why they're keeping that information.
00:24:38:07 - 00:24:58:21
Darren Booth
Really just trying to say ‘If we don't need it for some sort of analysis or developing the product or service, then why would we keep it?’ And let's just get rid of it, because if we don't have it, then I can't get breached and it can’t get leaked. So there's a real mindset change that we're seeing in a number of businesses in relation to that.
00:24:59:10 - 00:25:00:12
Darren Booth
From what it was a few years ago.
00:25:01:13 - 00:25:35:22
Andrew Sykes
Darren that's been absolutely terrific. Unfortunately, we're running out of time for our podcast. I think cyber security is fascinating. I think it's an emerging problem for business and we can all see that and the reputational damage, let alone the risk of having your funds diverted without your knowledge. So thank you very much for those tips. If any of our listeners want to find out more, they can check out the RSM website where our cyber security division has plenty of information and materials.
00:25:36:05 - 00:25:38:04
Andrew Sykes
So thank you very much, Darren.
00:25:39:13 - 00:25:41:02
Darren Booth
No problem. My pleasure. Thanks for having me.
00:25:41:02 - 00:26:02:14
Andrew Sykes
And thank you Young. And Chris, thank you. And thanks to everyone for taking the time to listen to our podcast. This has been the RSM talkBIG podcast. Remember to subscribe to us at wherever you get your podcasts from and if you have a chance refer us on to a friend, it'd be great to get more listeners to our podcast.
00:26:03:03 - 00:26:07:16
Andrew Sykes
My name's Andrew and thank you for listening to the RSM talkBIG podcast.
This page has been prepared by RSM Financial Services Australia Pty Ltd ABN 22 009 176 354, AFS Licence No. 238282.
As everyone's circumstances are different and this article doesn't take into account your personal situation, it is important that you consider the above in light of your financial situation, needs and objectives, and seek financial advice before implementing a strategy.
View the Financial Services Privacy Statement and Policy, Complaints Policy and Financial Services Guide