The global cybersecurity threat is spreading to small and medium sized enterprises (SMEs) that are unprepared for cybercrime, putting clients, organisation viability and company directors – who may be personally liable for data breaches – at risk. That is the view of Scott McKean, the recently appointed Chief Security Officer (CSO) at Interactive, Australia’s largest privately owned information technology company. ‘SMEs that lack cybersecurity systems are easy targets,’ says McKean. ‘Cybercriminals are stealing data, intellectual property, financial records and other critical information from SME clients. They are using ransomware to force SMEs to pay to recover the data.’

 

SMEs Are Becoming an Attractive Target for Cybercrime

 

McKean says that a significant data breach can cripple SMEs. ‘Cyber emergencies take lots of time and money to fix. But the longer-lasting damage is loss of client trust and damage to the company’s reputation. People stop doing business with firms that cannot safeguard data.’ Cybersecurity is mostly portrayed as a big-business issue: cybercriminals attacking multinationals or government enterprises that hold a lot of data. Less considered is the growing prevalence of SME attacks. About 58 per cent of all cyber attacks target small businesses, according to Verizon’s 2018 Data Breach Investigations Report.

Almost half of the breaches involved hacking and 30 per cent included malware software designed to disrupt, damage or gain unauthorised network access. Ransomware is now the most prevalent form of malware, according to the Verizon report. McKean has seen the damage firsthand. ‘Most SME data breaches don’t make headlines, but a day rarely goes by that I do not hear about a data breach in an SME here or overseas.’ SMEs are becoming an attractive target for cybercrime for three reasons. First, banks, insurers and other large organisations have invested in cybersecurity and developed stronger internal processes, making it harder to breach their defences.

SMEs, in contrast, typically have fewer resources for cybersecurity. Some SMEs may believe that cybersecurity is a multimillion-dollar investment that they cannot afford or are baffled by the thousands of vendors and technologies in this area. Or, they only get serious about cybersecurity after a breach. Second, SMEs often have legacy technology systems that have been added to over the years, providing easy entry points for cybercriminals.

 

Cyberattacks Are Going Unnoticed

 

Other SMEs provide network access to their suppliers, some of which have lax cybersecurity. Prominent data breaches overseas, notably at US retail giant Target in 2013, involved cyber attacks via a supplier. Third, SMEs are doing more business online. They are collecting, storing and accessing client data, much of which is sensitive, and providing tools for mobile devices, a growing channel for cybersecurity attacks. ‘Most SMEs do not have their house in order when it comes to cybersecurity, although the same could be said of many large organisations,’ says McKean. ‘They assume that if their system has not been hacked then they are safe. They don’t realise how easy it is for cybercriminals to get into their system, stay for an average of six months without data-breach detection (on average, according to Verizon research), and do damage.’ Also, some SMEs may not realise that they are subject to new government rules on cybersecurity that personally affect their owners.

 

Cybersecurity Has Legal Implications for Company Directors

 

The Notifiable Data Breaches (NDB) scheme, which took effect in February 2018, requires organisations to alert the Office of the Australian Information Commissioner (OAIC) and all affected clients if a hacking of their information could result in serious harm. The new laws apply to businesses with an annual turnover of at least $3 million, meaning many SMEs are captured. A medical practice, for example, that meets that requirement has to inform the OAIC and patients if their personal data is breached, which could damage the firm’s reputation, lead to client losses or even a class action against the firm. Cybersecurity has legal implications for company directors. The Australian Securities and Investments Commission (ASIC) views the cyber resilience of organisations as part of each director’s statutory duty of care and diligence. The primary legal question for directors is whether they adequately discharged their duty of care (with cybersecurity). Although case law on cybersecurity liability is evolving, the message for company directors, regardless of an organisation’s size, is clear: those who take no steps to understand their organisation’s cybersecurity risk and do not ensure that it is managed, may be in breach of their duties.

Interactive, a leader in SME cybersecurity, announced McKean’s appointment in March 2019 as CSO is a part of Interactive’s strategy to expand its cybersecurity capability. McKean has extensive cybersecurity experience, leads Interactive’s team of eight cyber specialists and can access the firm’s 140 cloud-engineering specialists on cybersecurity issues. ‘Interactive’s scale is an advantage for SMEs,’ says McKean. ‘We provide a genuine end-to-end service, from examining a firm’s current system, to developing a cybersecurity strategy, assessing and implementing technologies, and ongoing threat detection and response. ‘Interactive’s size provides the “best of both worlds” for SMEs,’ says McKean. ‘With 560 staff members, we’re large enough to access the best cybersecurity technology and vendors worldwide – but not so large that SMEs feel they cannot get personalised, tailored service. When SME clients call Interactive, they speak to someone in Australia who knows their business.’

 

Best Practice: Cybersecurity Methodology

 

The firm’s full Australian ownership is a differentiator. ‘Local SMEs are not dealing with a global tech firm that sends their data overseas,’ says McKean. ‘Interactive runs its own fully secured data networks in Australia, complies with all relevant standards and has detailed internal data processes. That’s important for SME directors wanting to sleep easier at night knowing the data is kept in Australia.’ Extended experience with SMEs is another advantage. The firm has more than 2000 customers – about 80 per cent of them SMEs – across industry. Interactive has run its own data centres and provided data-protection services for almost three decades. About 140 clients use its cybersecurity services and that number is growing quickly. McKean says Interactive’s cybersecurity methodology is a strength. ‘Our approach assumes a breach whether one is evident or not. It’s amazing what we find because so many data breaches go undetected and lurk in SME networks.’

Interactive’s methodology uses a holistic approach. ‘For too long, SMEs have added new technology to their systems to address cybersecurity. The result is often a piecemeal, patched-up system that is easy for cybercriminals to breach. Interactive develops, implements and maintains comprehensive, cost-effective cybersecurity systems that continue to deliver excellent results for clients.’ Interactive has a flexible approach with SME clients. It can scale cybersecurity services up or down depending on needs, or vary them around a client’s peak trading periods. There are options for upfront and ongoing monthly billing, and to tailor the cybersecurity investment to a client’s cash flow or asset-depreciation strategies. ‘SMEs can get world-class cybersecurity technology for less than they might think,’ says McKean. ‘Technology that costs a fraction compared to the damage that can be done by a data breach.’

Learn how Interactive can help protect your business.

 

 

Article first appeared in Forge magazine.