October is Cybersecurity Awareness Month, making it the perfect time for small business owners to reassess how you can best protect your operations from cyber threats. Given the rise of cybercrime in Australia and around the world, small businesses are prime targets for all sorts of attacks.
As Mark Knowles, General Manager of Security Assurance at Xero, puts it: “Small and medium businesses are under increased attack because cybercriminals see them as a vulnerable target. They expect small businesses won’t invest a whole lot of time in thinking about how to protect themselves.”
Fortunately, even small changes to how you do business can make a big difference in defending against these threats. Here are some practical ways your business can defend against cybercrime – not just in October, but for the long term.
1. Strengthen your first line of defence
One of the simplest ways cybercriminals infiltrate businesses is through phishing, which tricks recipients into clicking on malicious links or sharing sensitive information. According to Knowles, phishing attacks remain the most common threat to small businesses today, and scammers are getting even more sophisticated.
“Phishing is still the most common attack vector, but now we’re also seeing ‘vishing’ – voicemail attacks – and ‘smishing’, which uses text messages to attack,” he says. “A friend of mine clicked on a road-toll payment link in a text message, thinking the $3.50 charge was legitimate. Two-and-a-half weeks later, $3,500 was stolen from her credit card.”
The key, Knowles says, to avoiding these scams is to simply slow down. “Take 10 or 15 seconds longer to read the email or text message properly. That small amount of time could save your company.”
2. Prepare for AI-powered threats like deepfakes
An unfortunate reality of exponential technology development is that artificial intelligence (AI) is making cyberattacks even harder to spot. Deepfake technology, which uses AI to manipulate audio and video, is already being used by cybercriminals today.
“It takes just 10 to 15 seconds of audio or video recording to create a convincing deepfake,” Knowles warns. He cites a worrying example from Hong Kong where a finance worker was tricked into transferring $25 million during a video conference with what turned out to be deepfake participants posing as executives.
The rapid evolution of AI means phishing emails and other scams are becoming harder to detect. “AI has improved phishing scams to the point where poor grammar and obvious red flags – like eye twitching or voice crackling on videos – are disappearing,” says Knowles.
If in doubt, he suggests picking up the phone. “Go and find someone who can be an IT support for you, and keep their number written down on a piece of paper you can easily find. Having a ‘black book’ of phone numbers for trusted contacts who you know means you can call to get support as soon as an incident happens or if you feel like you’ve been scammed. Having someone you can call to verify everything is really important.”
3. Encourage a team culture that celebrates cybersecurity
Building cybersecurity awareness across your team – whether it’s a group of employees or just yourself and a business partner – is something every owner should invest in. It could start as something simple like creating opportunities for staff to learn from one another.
“Sit down with your team, print out phishing emails and discuss what to look for,” Knowles says. “It’s a great way to build awareness.”
He also encourages businesses to develop community support networks: “Set up a chat group with other local businesses to share experiences. Maybe you get together once a month to talk openly about the sort of attacks you are seeing – because you will be seeing them. That way you’re removing any embarrassment, and you’ve also got people you can call if you feel like you are under cyberattack.”
4. Have an incident-response plan ready
Many small businesses don’t have the resources to hire dedicated IT teams or set up formal cybersecurity plans, but this can leave you extremely vulnerable during an attack. Having even a basic incident-response plan can make all the difference.
“Have key contact numbers – like your IT support or the police – written down,” Knowles says. “If you’ve been hit with a ransomware attack and your systems get locked down, you won’t be able to access all of your cyber-safety information. Don’t hesitate to contact the police or CERT (Computer Emergency Response Team) Australia. They have skilled people and resources to help.”
Using a ‘safe word’ is another simple but effective strategy, according to Knowles: “Set up a safe word for your company’s trusted contacts and employees, so that when someone is messaging you, then you can verify who they are.”
5. Don’t let embarrassment be your downfall
“Cybercriminals count on your embarrassment to keep you from reporting scams,” Knowles says. “If they can embarrass you, they will come back and steal more and more from you, and it will have a massive impact on your business, your wellbeing and your mental health.
So don’t be ashamed to contact your bank or the police as soon as you realise you’ve been targeted – getting help quickly makes all the difference.
“Make use of your community rather than being anxious about it,” Knowles adds. “The sooner you talk to someone, the faster the problem can be solved.”
Read now: What shoppers want: Ways small businesses can embrace today’s payment trends
Comments