Small businesses aren’t automatically immune to cyber attacks because of their size, age, or sector, according to a fresh report that asks Australian SMEs to be honest about their cyber defences.
New research from the $23.4 million Cyber Wardens program, drawn from a survey of 2,100 small business participants, challenges traditional assumptions that mature businesses are better equipped to handle cyber threats than their younger peers.
The report, released Monday, paints a more complex picture — and finds that awareness of cybersecurity risks doesn’t always translate to action.
“This research is the first step in understanding what small businesses need to do, what might be standing in their way and what we can do to support them,” said Luke Achterstraat, CEO of the Council of Small Business Organisations, the group leading Cyber Wardens.
False assumptions putting SMEs at risk
Instead of assuming that mature small businesses are automatically more prepared to fend off a cyber attack than their younger counterparts, the Cyber Wardens program now proposes a five-tier system to help SMEs judge their true capabilities.
Progress through the tiers is determined by factors like how a business uses cybersecurity training, perceives external risks, and how frequently cybersecurity is discussed in the workplace.
Adopting this multi-factor assessment is more helpful than making broad assumptions, the Cyber Wardens team states — especially when learning about major cybersecurity breaches can have counter-intuitive consequences for SMEs.
Attacks on businesses like Optus and Medibank raised the public profile of digital crime in Australia and among small businesses, the Cyber Wardens research suggests.
However, they may have had a counter-intuitive effect on small business preparedness.
In particular, some small businesses told Cyber Wardens they are too small to target, and that bigger businesses pose a greater prize to criminals.
This sentiment can lead to inaction on behalf of well-informed but vulnerable SMEs, the report says.
The research also suggests a large proportion of small businesses that consider themself cyber safe rely on third-party providers to handle their digital security, leading to a passive approach from the businesses themselves.
“They assume that the sophistication and dependability of the systems put in place by software companies are far beyond what they could achieve in their small business, so it’s best to leave it up to them,” the report says.
However, the bulk of cyber incidents in Australia are not malware or ransomware attacks targeting software and data systems, but cruder efforts, like phishing and invoice scams, that target individuals as a point of weakness.
Research to inform next phase
The research, and the new five-tier ranking system, will guide the next phase of the Cyber Wardens system.
It will be formally launched at an event in Canberra on Monday, with industry participants invited to have their say on how Cyber Wardens should be administered.
The program currently offers a free, 45-minute e-learning module designed to provide foundational cybersecurity knowledge and best practices to small business participants.
Its goal is to train 50,000 small businesspeople over the next three years, effectively creating a neighbourhood watch-style group for cybersecurity.