Securing SMB organisations: closing the cyber gap through culture

Cybersecurity attacks are becoming more frequent and impactful for Australia. As the nation accelerates the improvement of its cybersecurity posture, many organisations are investing in robust cybersecurity tools, hiring cyber-dedicated employees, and integrating cybersecurity standards into their strategy and business decision-making.

However, there is one major problem.

Investing in cybersecurity is typically easier for large organisations, yet SMBs remain the low-hanging fruit for threat actors. Limited budgets and resources mean SMBs cannot financially prioritise cybersecurity as much as large organisations, so attackers continually target smaller organisations, given the often higher success rate of attacks. Furthermore, while it’s common for large organisations, it’s rare for SMBs to hire cybersecurity employees, leaving IT workers responsible for security when their time is already split managing an overwhelming number of tasks.

It’s crucial now for SMBs to consider how they can support their IT teams, particularly during Cybersecurity Awareness Month, so their organisations become more resilient and productive.

Small businesses, big threats

The Australian Cyber Security Centre (ACSC) and the Australian Signals Directorate (ASD) recently developed a small business cybersecurity guide, highlighting some of the common threats that Australian small businesses face. These include phishing attacks, business email compromise (BEC) attacks and ransomware:

• Phishing attacks: Phishing scams often contain a link to a fake website, where employees are coerced into logging in to an account or sharing confidential details. The attack aims to compromise account passwords, so attackers can then ‘take over’ small businesses’ accounts and hold them to ransom.
• BEC attacks: BEC attacks occur when cybercriminals impersonate small business representatives by using compromised email accounts or a domain name that looks like a real business. Aside from stealing information, the goal of these attacks is to scam victims into sending funds to a bank account operated by the threat actor.
• Ransomware: Ransomware locks up or encrypts files, preventing small businesses from accessing them, and then demands a ransom so organisations can get their data back. Attackers might also threaten to publish or sell data online unless a ransom is paid.
   

It’s important to note that the first two types of attack are often caused by human error. Even if small businesses have invested in cybersecurity tools or IT teams regularly scan for vulnerabilities and patch systems, cyberthreats can still creep into businesses if employees don’t play their part. Therefore, Cybersecurity Awareness Month serves as a reminder for all organisations, small or large, that cybersecurity is a shared responsibility.

Supporting your IT team to build a culture of cybersecurity

The theme for this year’s Cybersecurity Awareness Month in Australia is ‘Building a cyber safe culture’ — a mantra that could not be truer for SMBs. Upholding a strong cybersecurity practice is the responsibility of every employee, not just the IT team.

Employees across the organisation need to prioritise IT teams’ cybersecurity education to learn more about common cybersecurity threats, signs of phishing emails, business-specific policies regarding responsible data sharing, and how to respond in an emergency to mitigate the impact of a breach.

At a leadership level, building a strong cybersecurity culture means listening to IT leaders’ concerns and recommendations. In small businesses, IT professionals are often overextended, particularly with cybersecurity tasks. SMB leaders should connect with their IT employees to understand where they can optimise cybersecurity processes and which tools could make their teams more effective and productive, such as automated IT and endpoint management tools and autonomous patching solutions that save time and costs.

Cyberthreats are not just an IT issue; they are a business-wide challenge that requires vigilance, collaboration and commitment from every employee. As attackers continue to target Australia’s small and medium-sized businesses, it has never been more important for leaders to prioritise cybersecurity as a shared responsibility. By empowering IT teams, fostering a culture of awareness, and ensuring every staff member understands their role in protecting the organisation, SMBs can significantly reduce their risk and build resilience against future attacks.

Image credit: iStock.com/Robin Beckham