SMEs lack cyber security maturity

According to HLB Mann Judd, the local SME sector lags behind its global peers when it comes to responding to cyber security concerns.

This is partly due to small businesses not being required to report cyber breaches, the firm’s Melbourne partner Kapil Kukreja has said.

Namely in Australia, and under the Mandatory Reporting of Data Breaches regulation, businesses with an annual turnover greater than $3 million must report cyber hacks. However, businesses with a turnover of less than $3 million per year are not required to.

“Given 99.8 per cent of Australian businesses are SMEs, it does create a major disparity in knowing the true extent of cyber crime across the country,” Mr Kukreja said.

“There have been instances where SMEs have been the victim of a cyber security attack and have gone under within six months. Business owners need to be more accountable and ensure their operations are safeguarded against an attack.”

While noting the presence of room for improvement across all sectors, Mr Kukreja said this is particularly true within the SME space.

According to him, all businesses should set aside 1 to 5 per cent of their annual turnover to cyber security.

“This is a guide and it will depend on a range of factors, such as nature of the business and complexity of its systems, but the key for SMEs is they need a budget set aside along with a formal cyber strategy and cyber response plan; it’s about smart spending and it can’t be an afterthought,” he said.

Mr Kukreja recommended the following tips for SMEs in mitigating a cyber breach:

• Make cyber security the responsibility of the board and those charged with governance, it’s a strategic governance issue, not just the work of the IT department.
• Implement the Essential Eight framework to raise their baseline of cyber security and resilience in line with the recommendation of the Australian Signals Directorate (ASD), which recommends all Australian businesses.
• Implement cyber security solutions.
• Consider and perform a stress test – there are companies that can perform a simulated hack of a business to identify vulnerabilities in the IT environment.
• Prohibit downloading of apps or software by all employees. Every unauthorised app or software provides an opportunity for a hacker.
• Review information needing to be collected and stored about customers and suppliers, and if anything is not required and/or obsolete, delete it.