Cyber-Security and Small Business in Australia
Over the past 24 hours many media outlets have reported news of increasing cyber-attack activity in Australia.
Our Prime Minister Scott Morrison commented today that that these attacks did not just start this week, and are "constant and on-going threats"
As a small business owner, you might be asking yourself "What can I do to protect my business online?". A lot of the information available is confusing and some does not work well at all in small business. Here are some general guidelines to think about:
1. Consider what activities each staff member needs to do online
For most, this will be a mixture of email, websites for banking, orders and research, and some other cloud based applications. Try to limit use of the business computers to these activities.
For all online logins, use strong passwords and try to enable 2-Factor authentication. Also look at deploying some level of automated internet and email filtering.
Beware of "shadow IT" where staff may use computers for unauthorized activities for convenience e.g. sharing sensitive information on an unapproved DropBox.
2. Automate Software Updates
Windows Updates, Google Chrome, Adobe Reader etc. all have options for automatic updates that can be enabled. Also, periodically check that these are working!
Ensure that business data is backed up daily and can be recovered from in the event of a breach. An industry accepted practice for this is the 3-2-1 method where ultimately there are 3 copies of data (so, 2 backups!).
4. Have a Disaster Recovery Plan
Sometimes bad things happen, and all we can do is deal with the aftermath. For a cyber-security breach, this is a lot easier if there is some kind of plan available to follow. This includes a plan for containment, business recovery, and notification of affected parties
(Fun fact: Australia has legally required reporting for this under the Notifiable Data Breach Scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme/ )
5. Get Advice
Your IT provider should be assisting in all of these (at least, we do!). There are also two very important notes that I feel are often missed when discussing cyber-security:
It is an unfortunate fact that you are never guaranteed to be 100% secure. The role of cyber-security that we are discussing here is risk minimisation. Security software vendors and policies can only deal effectively with threats that we know about NOW, but hackers are already working on NEW ways to breach systems that no-one knows about.
It is highly likely that you will not be able to implement every security measure even if you wanted to. Some strategies will simply impact your day-to-day business use of the computer too much. Accept this and look for other ways to minimise risk.
As a closing thought, I encourage you as a business owner to consider the following question: Do I know what security is in place for my business and am I comfortable with that level of protection?
There is a lot more that can be said on cyber-security, but the items above should give a good starting point.