Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

We all know that FUD (Fear, Uncertainty, and Doubt) is a tried and true method to get your attention and try to sell you something that you MUST HAVE to protect yourself. Cybersecurity for Small Business is definitely one of those areas that is prone to this tactic.

Whilst I want you to actually know what the risks are about not having a good Cybersecurity strategy for your business, we don’t need to labour on all the FUD.

So here is some the FUD, so you can get it all in one place, and we don’t need to talk about it much again, except where it raises questions specifically related to your business. (NOTE: There is far too much FUD online to list it all here, so I’m sticking with government and industry resources).

All of the types of threats

Well the one’s that the Australian Cyber Security Centre wants you to know about. There is also a good quiz on spotting scams.

  • Account Compromise

  • Business Email Compromise

  • Cryptomining

  • Data Breaches

  • Hacking

  • Identity Theft

  • Malicious Insiders

  • Malware

  • Phishing

  • Quishing

  • Ransomware

  • Scams

There is also the NIST page on Cybersecurity Risks

Annual Cyber Threat Report 2024

This is where the statistic comes from that you will see just about everywhere - that the average self-reported cost of cybercrime for small business is $49,600, and the top 3 self-reported cybercrime types for business are:

  • email compromise (20%)

  • online banking fraud (13%)

  • business email compromise fraud (13%)

And these are only the ones that are reported. Many small businesses do not even report if something has happened.

A newish part of the report is AI and cybercrime. This will become a much bigger area that we need to be aware of.

AI and Cybercrime

The 6 Cyber Shields

This is the basis of the 2023-2030 Australian Cyber Security Strategy that we will continue to hear more about over the coming years. The shields are

  1. Strong businesses and citizens

  2. Safe technology

  3. World-class threat sharing and blocking

  4. Protected critical infrastructure

  5. Sovereign capabilities

  6. Resilient region and global leadership.

And it is at least written in an non FUD way, but as there is not a huge amount of detail at this stage, it does bring up some uncertainty.

Supply Chain Attacks

One of the biggest and well known Supply Chain Attacks in recent years was Solarwinds, then there was the US pipeline incident, so the term has been in the news a lot more in the past few years.

Australia - Information page on Supply Chain Attacks

New Zealand - good resource on Supply Chain Cyber Security.

Beware of your MSP

MSPs have a very important role for Small Businesses, and become a key part of your team, but they can be targets for cyber crime also - and that can affect you. This is a type of supply chain attack. This article includes tips on how to engage with MSPs securely, and details the issue where an MSP was hacked.

Alerts and Advisories

The ACSC’s page that lists all the critical vulnerabilities they think you need to know about. If you’ve heard of the terms CVEs or KEVs, then this is where you will find them. But for many small businesses, you won’t have the hardware or software that these are affected. When you start to hear it on the news (eg Log4J), then you probably need to start thinking about it. However, if you do have servers, or hardware connected to the internet, then you do need to know about this stuff, unfortunately. Of course, your first step is to ensure all your devices are set to auto update, so any issues are resolved as quickly as possible.

Have you been hacked

The starting point for finding out what to do if you think you have been hacked.

When you have an Incident

The Australian Institute of Company Directors (AICD) has a good resource about governing through a cyber crisis.

SAAS Shared Responsibility Model

This is less of a FUD topic, but one that is important, as we all use Software as a Service. Just because you have a shiney SAAS app that promised you the world, it does not make it secure. You can easily share a sensitive document publicly on Dropbox, or inadvertently release customer data in a misconfigured AWS S3 bucket, or have your Salesforce set up in a way that shares all the data in Salesforce with another SAAS app you are integrating with. And all this is your responsibility.

OWASP Top Ten

Now, most small business won’t need to know anything about it, but if you have a Web App of any kind, or even just a website where users log in, then this is when you need to start knowing about these risks. I’m including it here because you may have heard someone techy mentioning the name OWASP Top Ten or Cros Site Scripting (XSS) or Injection Attacks. But this is where you will need a Trusted Advisor to help you out with this level of detail.

Legislation and Regulation

Not included in this list is anything to do with your regulated responsibilities such as:

  • Notifiable Data Breaches

  • Privacy Act

  • APRA legislation

  • SOCI legislation

  • etc

Yes, these are very much full of FUD, but these are the ones that you actually do need to know about, if you are covered by a specific piece of legislation or regulation.

Table 1 in the AICD Cyber Security Governance Principles handbook lists much of the legislation that governs cybersecurity across Australia. And there is much more detail than that in other resources also.

  • No labels