Create a free account, or log in

Log4j and lessons from NewsCorp: Six cybersecurity tips for small business

Cybersecurity is front of mind for big business, and while small businesses aren’t immune, being unprepared could also damage their enterprise relationships.
Ajay Unni, founder of StickmanCyber
Ajay Unni, founder of StickmanCyber. Source: supplied.

Cybersecurity is front of mind for big business, and while small businesses aren’t immune, being unprepared could also damage their enterprise relationships.

The World Economic Forum’s Global Cybersecurity Outlook 2022, released in partnership with Accenture, found 87% of executives in big business are planning to invest in cyber resilience in their organisations.

For SMEs, it’s not always that easy to throw money at the problem.

However 88% of respondents said they see their small business partners as a key threat, expressing concern about their cyber-resilience and the effect a breach on them could have on their own supply chains, networks and ecosystems.

The research comes as cyberbreaches continue to hit the headlines.

In December last year, the Log4j vulnerability was unearthed in a piece of Java code.

That code is used across software applications all over the world, and malicious actors were quick to take advantage of it.

According to Robert Healey, head of business development at cloud-based cybersecurity services provider Peakhour, we may not have seen the worst of the damage.

In December 2021, Log4j attacks made up about 4% of cyber incidents in Australia, Healey said in a statement. In January 2022, that increased to 40%.

“Every Australian organisation with anything connected to the internet — business websites, enterprise web applications and more — needs to be aware of this and pull out all stops to protect against it immediately,” he said.

Lessons from the NewsCorp breach

Just weeks ago, a breach — unrelated to the Log4j — was discovered at media group NewsCorp. Hackers had managed to access US and UK email accounts, reportedly compromising the data of journalists and other employees.

That breach was made through a business email compromise, says Ajay Unni, cybersecurity expert and founder of StickmanCyber.

In attacks like these, hackers are often able to acquire usernames and passwords from the dark web. If an employee’s password for another service has been leaked, hackers will try that same password to log into their work email.

If there’s something to be learnt from the NewsCorp breach, it’s the value of multi-factor authentication, Unni tells SmartCompany — a secondary measure using a mobile phone or app to verify that the person logging into the account is in fact the account owner.

It’s worth noting that the NewsCorp attack is suspected to be the work of a state actor, which may have been sophisticated enough to bypass MFA systems.

However in many cases MFA will stop malicious actors from accessing company emails, and taking advantage of what they find there.

Quick cybersecurity wins for small business

For small businesses that don’t have a heap of cash to invest in cybersecurity, what are the quick wins that can help them stay safe?

Multi-factor authentication

Multi-factor authentication is a first easy — and usually free — line of defence, Unni says.

It’s essentially a no-brainer, he adds.

“Small business should immediately implement multi-factor authentication, which most email providers now offer as part of the package.”

Manage your passwords

Of course it is also safer not to reuse passwords between various platforms, instead creating complex and hard-to-guess passwords and using a password manager to keep track of them all.

This reduces risk, but should be treated carefully, Unni says. If someone can access your password manager, “it’s like opening your wallet and giving access to everything including your bank details”.

Password managers should also require multi-factor authentication, and users should update their master password regularly.

On this note, Unni also warns against having more than one person sharing a username and password. The more people have the same credentials, the harder it becomes to know who is logging in and when, and to detect a bad actor.

Training and awareness

The next step is to get clued up about the kinds of tricks and tactics cybercriminals might use, and to train staff members on best practices for cybersecurity — as well as the risks.

“There is a lot of free material available online,” Unni says.

Test your defences

This may cost a small amount of money occasionally — perhaps even only once a year — but Unni also recommends undergoing some kind of penetration testing, to gauge the strength of your security and improve it if necessary.

Detection response

Again this doesn’t come for free, but if you’re going to invest in anything, Unni says it should be a kind of digital alarm system.

Often, cyber breaches go unnoticed for weeks, months or even years. If you know someone has accessed your systems, “at least you can take action”.

Know your data’s worth

Finally, Unni notes that a lot of small businesses write off cybersecurity as something that’s too expensive or out of reach for them, without necessarily considering the value of what they’re protecting.

A physical jewellery store might have more security than the grocery store next door, he explains, not because it’s a bigger business but because its contents are priceless.

“A lot of businesses undervalue themselves,” Unni says.

If a hacker is able to take over your social media pages, what will that cost the business in terms of accessing customers? How damaging would a breach of a client email list be?

It’s also not uncommon for hackers to access emails and change invoice details, causing businesses to send payments to the wrong accounts.

Small businesses don’t always fly under the radar, Unni warns.

“Start somewhere,” he says.

“Don’t just sit there and say you are not a target.”