MEDIA RELEASE: Small businesses are not required to report cybersecurity breaches, resulting in poor records and data collection held by Australian cyber agencies, according to HLB Mann Judd Melbourne partner, Kapil Kukreja.

Mr Kukreja said while the recent Optus and Medicare breaches have increased consumer awareness of cyber-crime, the SME sector has been slower to respond, particularly when compared with their US and European peers.

“The US and Europe are much more advanced in collecting data, and that’s fundamentally driven by businesses reporting any breaches to authorities,” he said.

Under the Mandatory Reporting of Data Breaches regulation, businesses with an annual turnover greater than $3 million must report cyber hacks, however businesses with a turnover of less than $3 million per year are not required to.

“Given 99.8%[1] of Australian businesses are SMEs, it does create a major disparity in knowing the true extent of cyber-crime across the country.

“There have been instances where SMEs have been the victim of a cybersecurity attack, and have gone under within six months. Business owners need to be more accountable and ensure their operations are safeguarded against an attack.

“There’s room for improvement across all sectors but particularly within the SME sector, as they don’t typically have the resources to manage should a cyber breach occur. Hackers are all too aware of this,” he said.

Mr Kukreja said as a general rule, all businesses should set aside 1-5 per cent of their annual turnover.

“This is a guide and it will depend on a range of factors, such as nature of the business and complexity of its systems, but the key for SMEs is they need a budget set aside, along with a formal cyber strategy and cyber response plan, it’s about smart spending and it can’t be an after-thought” he said.

Mr Kukreja recommends the following tips for SMEs in mitigating a cyber breach:

• Make cybersecurity the responsibility of the board and those charged with governance, it’s a strategic/ governance issue, not just work of the IT department
• Implement the Essential Eight framework to raise their baseline of cybersecurity and resilience in line with the recommendation of the Australian Signals Directorate (ASD) recommends all Australian businesses
• Implement cyber security solutions - IBM found that cybersecurity automation solutions, powered by Machine Learning and Artificial Intelligence, help organizations respond over 27 per cent faster to data breach events
• Consider and perform a stress-test – there are companies that can perform a simulated hack of a business to identify vulnerabilities in the IT environment
• Prohibit downloading of apps or software by all employees. Every unauthorised app or software provides an opportunity for a hacker
• Review information needing to be collected and stored about customers and suppliers, and if anything is not required and/or obsolete, delete it.

“There are well-known examples of cybersecurity breaches but it can happen to businesses of any size. And the reality is, unfortunately it will happen – it’s not a question of if, but when,” he said.

[1] Australia | Financing SMEs and Entrepreneurs 2020 : An OECD Scoreboard | OECD iLibrary (oecd-ilibrary.org)