The recent Optus and Medicare breaches greatly increased consumer awareness of cyber-crime. However, most Australian businesses are not required to report cybersecurity breaches.

The US and Europe have been collecting data on cybersecurity breaches for some time and it is fundamentally driven by businesses reporting any breaches to authorities.

In Australia, Mandatory Reporting of Data Breaches regulation is only required of businesses with an annual turnover greater than $3 million. Therefore, under the current law, more than 90% of Australian businesses are not required to report breaches.

With no formal reporting in place for the majority of businesses in Australia, we do not know the full impact of cyber-crime in the country. Unfortunately, hackers are all too aware of the current reporting laws and vulnerabilities in the SME sector.

Business owners need to ensure their operations are safeguarded against an attack. As a general rule, businesses should set aside 1-5 per cent of their annual IT budget to cyber security. In addition to setting a budget, business owners should also develop a formal cyber strategy and cyber response plan.

Recommendations for SMEs in mitigating a cyber breach

  • Make cybersecurity the responsibility of the board and those charged with governance, it’s a strategic/ governance issue, not just work of the IT department
  • Implement the Essential Eight framework to raise their baseline of cybersecurity and resilience in line with the recommendation of the Australian Signals Directorate (ASD) recommends all Australian businesses
  • Implement cyber security solutions – IBM found that cybersecurity automation solutions, powered by Machine Learning and Artificial Intelligence, help organisations respond over 27 per cent faster to data breach events
  • Consider and perform a stress-test – there are companies that can perform a simulated hack of a business to identify vulnerabilities in the IT environment
  • Prohibit downloading of apps or software by all employees. Every unauthorised app or software provides an opportunity for a hacker
  • Review information needing to be collected and stored about customers and suppliers, and if anything is not required and/or obsolete, delete it.

Last year’s high-profile security breaches raised much-needed awareness of cyber-crime in Australia. Unfortunately, the reality is that a cyber breach can happen to a business of any size. It’s not a question of if, but when. There is room for improvement within the SME sector for managing cybersecurity and reporting any breaches.