The FUD Factor

We all know that FUD (Fear, Uncertainty, and Doubt) is a tried and true method to get your attention and try to sell you something that you MUST HAVE to protect yourself. Cybersecurity for Small Business is definitely one of those areas that is prone to this tactic.

Whilst I want you to actually know what the risks are about not having a good Cybersecurity strategy for your business, we don’t need to labour on all the FUD.

So here is some the FUD, so you can get it all in one place, and we don’t need to talk about it much again, except where it raises questions specifically related to your business. (NOTE: There is far too much FUD online to list it all here, so I’m sticking with government and industry resources).

I could go on and on and on with the contents on this page, but what I’ve listed is already too much. So just skim the words, or pick one or two articles to read.

Director and Boards

ASIC, AICD, and the Governance Institute, along with many others are really honing in on the director and board’s responsibilities for cybersecurity.

• https://asic.gov.au/regulatory-resources/corporate-governance/cyber-resilience/key-questions-for-an-organisation-s-board-of-directors/

• https://actuaries.asn.au/docs/thought-leadership-reports/cyber-risk-gap-widens-for-smes.pdf

• Directors’ oversight of company compliance obligations - AICD

• https://www.governanceinstitute.com.au/advocacy/effective-cyber-risk-management/

All of the types of threats

Well the one’s that the Australian Cyber Security Centre wants you to know about. There is also a good quiz on spotting scams.

• Account Compromise

• Business Email Compromise

• Cryptomining

• Data Breaches

• Hacking

• Identity Theft

• Malicious Insiders

• Malware

• Phishing

• Quishing

• Ransomware

• Scams

There is also the NIST page on Cybersecurity Risks

Annual Cyber Threat Report 2024

This is where the statistic comes from that you will see just about everywhere - that the average self-reported cost of cybercrime for small business is $49,600, and the top 3 self-reported cybercrime types for business are:

• email compromise (20%)

• online banking fraud (13%)

• business email compromise fraud (13%)

And these are only the ones that are reported. Many small businesses do not even report if something has happened.

A newish part of the report is AI and cybercrime. This will become a much bigger area that we need to be aware of.

Small Business Cybersecurity Myths

You will come across many of these articles online listing out all the myths that small businesses are in some way immune to cyber crime - because they are too small, or don’t have any data to steal. But see below re Supply Chain Attacks, and MSPs being hacked - it may not be about you at all. These articles are just a few of the many articles on this topic.

I chose the building industry one because my background is in home building construction so I know those risks all too well.

• https://www.pexa.com.au/content-hub/the-truth-about-cyber-security/

• https://www.hiainsurance.com.au/news-and-education/debunking-cyber-myths

• https://asic.gov.au/about-asic/news-centre/news-items/no-business-is-too-small-for-a-cyber-security-strategy/

AI and Cybercrime

• Australia - general page on AI and includes questions to ask about AI in your business.

• UK - Impact of AI on Cyber Threat

The 6 Cyber Shields

This is the basis of the 2023-2030 Australian Cyber Security Strategy that we will continue to hear more about over the coming years. The shields are

1. Strong businesses and citizens

2. Safe technology

3. World-class threat sharing and blocking

4. Protected critical infrastructure

5. Sovereign capabilities

6. Resilient region and global leadership.

And it is at least written in an non FUD way, but as there is not a huge amount of detail at this stage, it does bring up some uncertainty.

Supply Chain Attacks

One of the biggest and well known Supply Chain Attacks in recent years was Solarwinds, then there was the US pipeline incident, so the term has been in the news a lot more in the past few years.

Australia - Information page on Supply Chain Attacks

New Zealand - good resource on Supply Chain Cyber Security.

Beware of your MSP

MSPs have a very important role for Small Businesses, and become a key part of your team, but they can be targets for cyber crime also - and that can affect you. This is a type of supply chain attack. This article includes tips on how to engage with MSPs securely, and details the issue where an MSP was hacked.

Alerts and Advisories

The ACSC’s page that lists all the critical vulnerabilities they think you need to know about. If you’ve heard of the terms CVEs or KEVs, then this is where you will find them. But for many small businesses, you won’t have the hardware or software that these are affected. When you start to hear it on the news (eg Log4J), then you probably need to start thinking about it. However, if you do have servers, or hardware connected to the internet, then you do need to know about this stuff, unfortunately. Of course, your first step is to ensure all your devices are set to auto update, so any issues are resolved as quickly as possible.

Have you been hacked

The starting point for finding out what to do if you think you have been hacked.

When you have an Incident

The Australian Institute of Company Directors (AICD) has a good resource about governing through a cyber crisis.

SAAS Shared Responsibility Model

This is less of a FUD topic, but one that is important, as we all use Software as a Service. Just because you have a shiney SAAS app that promised you the world, it does not make it secure. You can easily share a sensitive document publicly on Dropbox, or inadvertently release customer data in a misconfigured AWS S3 bucket, or have your Salesforce set up in a way that shares all the data in Salesforce with another SAAS app you are integrating with. And all this is your responsibility.

• AWS

• Azure

• Atlassian

• Salesforce

• Dropbox

• UK Gov

OWASP Top Ten

Now, most small business won’t need to know anything about it, but if you have a Web App of any kind, or even just a website where users log in, then this is when you need to start knowing about these risks. I’m including it here because you may have heard someone techy mentioning the name OWASP Top Ten or Cros Site Scripting (XSS) or Injection Attacks. But this is where you will need a Trusted Advisor to help you out with this level of detail.

War Words

As you start to read about cybersecurity, especially articles trying to raise feelings of FUD, you will come across many examples of “war words” being used. Yes, we sort of have to use the words cyber attack, and cyber crime, but we don’t need to get into the rhetoric that Australian businesses are targeted and under attack from nation state ATP adversaries (just to throw all the buzzwords in there). Yes, there is some fact in these stories, but you can get the facts from elsewhere without having to read words that are really not helpful. When you come across these articles, just move on, and get some information in a much more friendly way.

Hacker Focused Words

If you are seeing articles about Advance Persistent Threats, Remote Code Execution, Zero Day, Command and Control move on. Yes, you may need to know these things if you are a cybersecurity professional, but leave it up to us to explain it when and if you need to. You have enough to think about with just getting the basics right before you need to be worried about Nation State Actors (hopefully).

Here’s a glossary if you are really interested though.

Legislation and Regulation

Not included in this list is anything to do with your regulated responsibilities such as:

• Notifiable Data Breaches

• Privacy Act

• APRA legislation

• SOCI legislation

• etc

Yes, these are very much full of FUD, but these are the ones that you actually do need to know about, if you are covered by a specific piece of legislation or regulation.

Table 1 in the AICD Cyber Security Governance Principles handbook lists much of the legislation that governs cybersecurity across Australia. And there is much more detail than that in other resources also.