Let’s Dive Deeper: Cost effective approaches to Cyber Security for SMEs

Cyber security can be overwhelming for Small to Medium Enterprises (SMEs) in Australia, especially with limited resources. This blog will guide you through straightforward, cost-effective measures to help avoid the pitfalls of common cyber threats.

Why this is so relevant?

In the past five years, we’ve seen high-profile data breaches involving major players like Optus and Medibank. Even smaller targets, like a payroll software provider and regional Victorian hospitals, have been hit by ransomware attacks. This flood of breaches can lead to ‘data breach fatigue,’ where it feels like the risks are too overwhelming to tackle. However, many of these incidents are preventable. For SMEs, the cost of a data breach can be devastating, both financially and reputationally.

Our consulting experience has shown us that complacency often leads to the worst outcomes. According to Cyberdaily.au, 41% of Australian organisations surveyed reported at least one data breach in the last year, with 33% experiencing 11 or more breaches.

So, how can SMEs handle the vast amount of technical information and evolving vulnerabilities without feeling overwhelmed and stretching the budget? Start by taking an independent approach to Cyber Security and read on in this blog: Here’s how to start with cost-effective measures and seek additional support only where necessary.

Understand Your Risks

The first step in protecting your business is understanding your own cyber security landscape. Know the regulations and standards that apply to your business, like the Australian Privacy Act and the Notifiable Data Breaches scheme (NDBS). Assess what kind of information you handle and the technology you use to determine where your vulnerabilities lie. It’s fair to say some people might naturally be thinking: How do you have physical cyber security threats given its technology??

Depending on what records and information you keep, and the type of physical or virtual presence of your business, you will have different levels of cyber security vulnerability from technology and physical perspectives.

  • Different industries face different risks. For example:
    Ecommerce businesses need to focus on payment security and protecting customer data.
  • Healthcare providers must prioritise data encryption and secure access controls.
  • Financial services firms should emphasise fraud detection and regulatory compliance.
  • Manufacturing companies need robust network security and incident response plans.
  • Professional services firms must ensure data confidentiality and secure communication.
  • To gauge your risk profile, consider these steps:
  • Identify and list all your assets and data (including all data hardware, network components and software).
  • Classify the data based on sensitivity and importance (personal data, financial information, intellectual property).
  • Understand common threats and vulnerabilities in your industry (phishing, malware, insider threats).
  • Assess the potential financial impact of a cyber incident (data breach, ransomware attack and downtime). 
In 2024, medical practices were impacted by a ransomware attack resulting in loss of access to patient medical records for multiple days, resulting in having to restore information from backups. Some patient health information was lost. This impacted the clinicians, who were unable to work during the outage, and patients, who were unable to obtain information and support that may be time sensitive and critical to their healthcare.

Craft Your Cyber Security Strategy

Creating a solid risk management strategy doesn’t have to be overwhelming. Start by identifying and prioritising risks using frameworks like the NIST Cybersecurity Framework or ISO/IEC 27001.

Breaking down how to define your risk profile and appetite:

  1. Assess and list how different cyber incidents could disrupt business operations, supply chains and service delivery.
  2. Understand how data breaches or cyber incidents could affect customer trust and business reputation.
  3. Determine the likelihood of occurrence. Review historical data within the company and/or the industry.
  4. Establish a tolerance for risk – develop a risk appetite statement outlining the level and type of risk the organisation is willing to accept.
  5. Balance the need for security with operational efficiency and cost considerations. This is key for small to medium businesses.

Implement the necessary controls and consider cyber insurance to mitigate financial risks. Regularly review and update your strategy to adapt to new threats.

There are many actions that can be taken to mitigate cyber security risks without significant investment of funds – rather this may mean a time commitment initially.

Businesses should understand that the cost of a single breach is significant and understand where time and investment of funds in solution should be prioritised to protect the organisation.

Stay Vigilant & Educate Your Team

The first lines of cyber security defence starts with awareness. Regularly train your employees on common threats like phishing, ransomware and social engineering. Implement clear policies and guidelines for employees and make sure they’re enforced.  Maintain policies in alignment with regulation and standards updates to avoid compliance issues. Get started using free resources like those from Australian Cyber Security Centre (ACSC) and customise them for your business.

Keep the Basics in Check

Sometimes, it’s the simple things that make a big difference. Avoid common pitfalls like saving passwords on shared computers or using the same password across multiple sites.

Too many times consultants observe practices such as saving passwords in a document on a shared computer, a piece of paper with login details taped to a monitor and the same shared passwords used across all platforms. The number of passwords to remember can be hard to manage, which is why we see this occurring.

Utilise password manager tools to create strong passwords, securely share and manage access to shared account credentials (if you absolutely can’t avoid them!) and notify when credentials/passwords are leaked online. There are free and paid versions of software to support password management.  

What on earth is IAM, MFA and SSO?

  • Get the basics of Identity and Access Management (IAM) sorted.
  • Implement multi-factor authentication (MFA) and Single sign-on (SSO) where possible.
  • Multi-factor authentication (MFA) requires a second form of verification, such as a code sent to a mobile device or an authentication app.
  • Single Sign-On (SSO) lets you log in once to access multiple apps or websites, instead of remembering and entering separate passwords for each one, you just sign in once to a central service, and it handles authentication for all the linked apps or sites.

Other important practices:

  • Minimise use of shared accounts – SMEs can manage shared accounts effectively, reducing the risk of unauthorised access and enhancing overall cybersecurity posture. Make sure any shared accounts are managed effectively if they must be used.
  • Maintain audit trails to track who accessed a shared account and what actions were taken. Share account credentials through secure channels such as password manager applications, avoiding insecure methods like email or chat.
  • Establish clear policies outlining the proper use of shared accounts, including guidelines for password creation, access, and reporting incidents. Include shared account management practices in your employee training for cyber security if in use. If technical limitations exist, invest in tools and technologies that facilitate secure management of shared accounts, such as identity and access management (IAM) systems.
  • Use role-based access control (RBAC) to assign permissions based on job roles rather than sharing account credentials. Grant the minimum necessary access to shared accounts to perform required tasks. Where feasible, separate duties among different users to avoid excessive privileges being concentrated in a single shared account.
  • Implement dual control for critical activities, requiring two individuals to authorise significant actions.
  • Shut down old accounts when they’re not longer needed – Make sure your employee offboarding process includes timely deactivation of systems access. Leaving unused account access open makes for an avoidable vulnerability.
  • Where possible, enable logging and monitoring of all activities performed using shared accounts to detect suspicious behaviour.

Protect for Known Vulnerabilities

Software providers provide updates to address known vulnerabilities discovered in their products, but you still need to make sure everything is up to date. Keep all software versions/patches (operating systems and applications) updated to ensure you are operating on the most secured version (this includes patches, not necessarily paying for a new version). Secure all Wi-Fi networks and ensure device drivers are up to date. For remote access to systems, use virtual private networks (VPNs). Install and maintain firewalls and antivirus software to protect against external threats.

Prepare for the Worst

Even with the best precautions, it’s essential to have a disaster recovery plan. Regularly back up critical data and test your recovery process. A well-prepared plan can help you bounce back quickly if something goes wrong. Ensure the process works by conducting regular drills to ensure everyone knows their role and the process in case of an incident.

Choose Technology Wisely

When investing in new technology, ensure it comes from reputable providers with strong security measures. Look for certifications and compliance with data protection laws to ensure your technology partners are up to standard. In Australia, there isn’t a specific certification or accreditation that directly signifies compliance with data protection laws like the Privacy Act 1988.

However, there are multiple ways to demonstrate compliance and ensure best practices including:

Payment Card Industry Data Security Standard (PCI DSS): For organisations handling payment card information, PCI DSS certification is crucial for ensuring compliance with data security standards. PCI PTS (Point-to-Point Encryption) is part of the Payment Card Industry Data Security Standard (PCI DSS), focusing specifically on the security of payment card data during transactions. This is applicable to industries such as Retail, financial services, and any business handling payment card information.

HIPAA Compliance: While specific to healthcare, organisations dealing with health information may follow HIPAA guidelines, which are recognised internationally and ensure robust data protection practices.

SOC 2 (System and Organisation Controls): This is applicable to Cloud service providers, SaaS companies, financial services, and other businesses handling sensitive information, focusing on the controls related to the handling of data, including security, availability, processing integrity, confidentiality, and privacy. It is crucial for service providers that store, process, or transmit customer data.

NIST Cybersecurity Framework (CSF): Developed by the National Institute of Standards and Technology (NIST), this framework provides guidelines for managing and reducing cybersecurity risks. Compliance is not certified but following the framework helps in establishing best practices. It’s applicable across all industries, with a focus on critical infrastructure and sectors with significant cybersecurity risks.

CMMC (Cybersecurity Maturity Model Certification): A certification model developed by the U.S. Department of Defense (DoD) to ensure contractors have appropriate cybersecurity practices in place. It includes various levels of maturity. This is applicable specifically for defence contractors and subcontractors working with the U.S. Department of Defense and usually subsidiaries.

Additional measures to demonstrate compliance and best practices include regular internal and external audits of data, audit reports and privacy impact assessments.

Know what you’re signing up to…

Check that vendor contracts include clauses on data protection/security measures. When checking vendor contracts for clauses on data protection and security measures, there are several key elements that should be included to ensure that your business is adequately protected. These include data protection obligations, security measures, breach notification, handling & retention, audit & monitoring, liability & indemnity, subcontracting arrangements, termination & data return/destruction, and business continuity & disaster recovery.

These clauses help to define the responsibilities of the vendor and protect your organisation in the event of a data breach or other security incident.

Cloud services: What’s your responsibilities versus a vendor’s?

It’s also important to be aware of shared responsibility models that apply in cloud services. This means understanding what security aspects are managed by providers and what the SME is responsible for. Depending on the solution and data, the information may present a high risk to the business. Be clear on what risk profile is appropriate for the type of solution and information handled.

Things that typically aren’t asked about, include what the restoration time is for their services in the event of a breach, and how do they notify customers and their liability for any penalties/fines applicable (if any).

Don’t Overlook Hardware Security

Don’t forget about physical security. Lock up devices, use screen timeouts, and secure confidential information. Remove memory cards or USBs inserted into the backs of devices when disposing of or selling devices. Develop asset registers to track the hardware your business uses to store information.

Simple measures can go a long way in preventing breaches.

Stay Relevant

Cyber security requires ongoing vigilance to be effective as the changes to technology and threats are continuous (even if nothing in your business has changed):

  • Stay updated on cybersecurity trends and emerging threats relevant to the business sector.  
  • Periodically review access to shared accounts to ensure only authorised users have access.
  • Regularly clean up and disable shared accounts that are no longer needed to reduce the attack surface.
  • Conduct regular audits and assessments to identify weaknesses in systems, applications and networks.

Minimise the Cost of Cyber Security & Maximise Protection

By focusing on these key areas, SMEs can enhance their cyber security defences, protecting their assets and customer data against the increasing threat landscape. You can minimise costs and maximise effectiveness by focusing on key areas that need attention. Here’s how:

  1. Leverage Free Expert Advice: Take advantage of free resources from trusted sources like the Australian Cyber Security Centre (ACSC). They offer valuable tools, training, and checklists to help you get started.
  2. Consult with Professionals: If you need tailored advice or assurance once you’ve completed your own assessment, consider bringing in a cyber security consultant. They can ensure you’re compliant and address any specific concerns.
  3. Outsource Complex Tasks: For more intricate security needs, managed security services can be a cost-effective alternative to building an in-house team.

Don’t have time to deal with cyber security or stuck on a particular point? We’re not the cyber security experts, this is just industry experience talking. We can help make things work and fill in the gaps, be it capacity or capability. Talk to us about how we can help you to facilitate assessment of your cyber security risks and needs, implement solutions or help you find the right cyber security specialist partner where you need it.

Book Your Free Consultation Now
Contact Us Online