Cyber security a key risk

Low awareness of cyber security risks remains a key issue for the business sector.

Of all the topics that IT consultant Jawid Dadarkar raises with customers, cyber security is among the most common.

“This is one of my main topics of discussion,” Mr Dadarkar told Business News.

“A lot of small businesses are unaware of just what cyber risk is, and how much risk they face.”

(click here to view a PDF version of the full two-article special report)

As managing director of South Perth-based Lindentech, Mr Dadarkar has helped many small-to-medium enterprises deal with the issue.  

“I tell clients 95 per cent of your hacks are going to come from your own people; most hacks are caused by people with a loose password or clicking on a malicious link,” he said.

“I start by saying ‘you need to educate the people you’ve got’.”

Lack of awareness of cyber risk was one of the findings of an ANZ Bank research report, ‘The Digital Economy: Transforming Australian Businesses’.

It found 55 per cent of businesses have little or no knowledge about cyber attacks.  

It also found 5 per cent of SMEs had experienced a cyber attack in the past 12 months, with the average financial impact at almost $3,000.

Asterisk Information Security is a boutique consultancy established eight years ago with a specialist focus on cyber security.

“We saw a need in WA,” managing director Steve Schupp said.

“In our previous jobs we were frustrated by our inability to get the capability we needed.

“The traditional IT providers didn’t have a specialised focus in this area.”

He said the sector had grown rapidly, as reflected in the emergence of competitors such as Diamond Cyber, chaired by iiNet founder Michael Malone.

Other players in the sector include Edith Cowan University spin-out Sapien Cyber, which is backed by Woodside Petroleum, and specialist testing firms such as Seamless Intelligence.

Asterisk offers multiple services, including specialist testing, for its customers, which are mostly larger businesses.

“When we do penetration testing we’re acting like an internet attacker and we’re testing a client’s technical security controls, but also their ability to detect and respond a compromise or a breach,” Mr Schupp said.

“When we do a vulnerability assessment we’re taking a wide look at a customer’s environment and reporting on all the vulnerabilities we find.”

Asterisk also has a consulting arm, providing advice on what controls a customer might need.

“We’re seeing a lot more demand, especially with small digital businesses looking to sell to a big telco or a bank or other big companies,” Mr Schupp said.

“They are asked: ‘What is your security policy and how do you maintain cyber security?’”

Mr Schupp told Business News there were common issues facing businesses of all sizes.

“One of the problems is that people use one password everywhere,” he said.

“They’ve got lots of websites to log into so they use one password.”

Mr Schupp said hackers were very quick to use email and password data breaches.

“They will send in fraudulent invoices or they will get access to internet banking, and change destinations or change transaction details after they’ve been posted.”

Another common risk was ransomware attacks, where hackers drop mailware onto workstations after a user clicks on an email link.

The hacker will encrypt the file server and then hold the business to ransom.

To address these risks, Mr Schupp suggested increased use of multi-factor authentication, such as an SMS code in addition to user name and password.

“Especially on Office 365, that gives you a lot more protection against inbox attacks,” Mr Schupp said.

He also suggested moving away from a single password with the help of password manager software.

“I have a unique password for every website I access but I only have to remember my master password to unlock the password manager,” Mr Schupp said. 

“The effort of remembering all these passwords is taken off my hands.”

Mr Dadarkar also recommends the use of a password manager such as Last Pass, which encrypts passwords, so that clients don’t store passwords on an Excel spreadsheet, for example.

Mr Schupp said all businesses are at risk.

“The hackers aren’t selective. It’s not about your business particularly,” he said.

“For them it’s a volume game. The more inboxes they can compromise, the better chance they have of making money.”

Cisco Asia Pacific vice-president, commercial and small business, Bastiaan Toeset, supported this view.

“It is a bit of misconception that small businesses are less vulnerable to security; they are actually more vulnerable because the impact on their business when they are disrupted is much more significant for them,” Mr Toeset said.