As the threat escalates, Australian Small Business and Family Enterprise Ombudsman has said knowledge of where small-to-medium businesses should turn in the event of a cyber attack is also unclear.
According to Kate Carnell, Australian Small Business and Family Enterprise Ombudsman, half of small-to-medium enterprises (SMEs) operating in Australia believe their limited online presence protects them from cybercrime.
However, Carnell believes the opposite to be true — that the presence they have does make them a prime target for cyber criminals.
Speaking at the ASIAL Security Conference in Sydney last week, Carnell said a lot of SMEs don’t think they have anything warranting a cyber attack, believing criminals instead would target the “big guys”.
“They know the big guys have really cool systems and they know the little guys haven’t,” she explained. “Cyber criminals now are attacking small businesses as a result, very, very regularly.”
A former pharmacy owner, Carnell said she employed a range of physical security practices, including multiple safes, as a way of preventing the bad guys from accessing both her business’ money and medication. But now, she said the threat to a pharmacist is the world — not just a few known local nuisances.
“Everybody can attack the computer system in a pharmacy,” she said.
“Small business are attacked for a whole range of reasons, one is their systems are pretty low, their knowledge in the area is pretty low, they don’t have in-house IT people, most people don’t really understand this stuff at all … and they have a tendency to pay accounts and invoices quickly. When you get a false account, they have a nasty habit of being paid.”
According to the ombudsman, the average cost to businesses as a result of an online scam is about AU$10,000, with most of the scams coming in via email or phone.
30 percent of small businesses reported experiencing a cybercrime incident in the year to mid-2015 — a 109 percent increase over the year prior. Carnell, however, is certain that figure was a lot higher as a lot of small businesses don’t want to admit they’ve fallen victim.
Australia is a nation of small business operators — defined by the ombudsman as business employing less than 20 employees and by the Australian Taxation Office as businesses turning over below $10 million.
In Australia right now, 97 percent of business are small businesses employing less than 20 employees — that is 2.1 million individuals employed by a small business.
“The vast percentage of businesses in this country fall into that category,” she said.
Carnell added that many do not have a chief operating officer, in-house lawyers, or IT folk. They don’t really get cybersecurity even though they know it’s a problem, and the CEOs are often actively running the day-to-day business with an office structure around them. As a result, cyber protection is often forgotten.
“This is starting to be a bigger impact among our economy … than some traditional forms of crime,” she explained, but noted that the challenge for many SMEs is they don’t know how to protect themselves.
“The reason they don’t know how to deal with it is that there’s so much stuff in the space across government … there’s a lot of different parts of the federal government dealing in the cybersecurity space.
“But from a small business perspective, where do you go? Do you go to ASIC, the AFP, Scamwatch, the ATO?”
Previously, Opposition Leader Bill Shorten said that millions of SMEs in Australia need the federal government to help them stay safe in the digital world.
“They need [help] in the way that’s simple enough for them to incorporate it into their business and that they can afford,” Shorten said, addressing Parliament in November. “This means having the resources to design cyber defences for products, processes, and people.”
With grants of up to AU$2,100 becoming available next year to SMEs to support a cybersecurity IT system, Carnell said Australia is still a mile away from small businesses knowing where they have to go to report and what they have to do to be safe.
“60 percent of small businesses that have a major cyber attack go broke within 12 months,” she said.
“This is a huge problem and it’s a major opportunity for the cybersecurity industry.”