The risk of delegating away cybersecurity tasks

Two cybersecurity reports have examined how well small and medium-sized businesses are prepared for cyberthreats, warning unprepared firms could fail to recover from an attack and should avoid relying on younger staff for expertise.

The reports, from HLB Mann Judd and the Council of Small Business Organisations Australia (COSBOA), explored how well firms were prepared for a cyberthreat or attack.

The COSBOA survey, which surveyed more than 2,000 small business owners, found four in five respondents were not confident in their ability to prepare for, fight and recover from a cyberthreat.

This was echoed by HLB Mann Judd which said a lack of resources could lead to a business closing after a cyberthreat. It advocated for businesses to set aside 1%-5% of annual turnover for cybersecurity measures along with a formal cyber response plan and strategy.

Kapil Kukreja, HLB Mann Judd Melbourne partner, said: “There have been instances where SMEs have been the victim of a cybersecurity attack, and have gone under within six months. Business owners need to be more accountable and ensure their operations are safeguarded against an attack. 

VIEW ALL

View all

“There’s room for improvement across all sectors but particularly within the SME sector, as they don’t typically have the resources to manage should a cyber breach occur. Hackers are all too aware of this,” he said.

He noted small businesses were also lagging in cybercrime reporting due to lack of requirements to report breaches, resulting in poor records and data collection held by Australian cyber agencies.

Under Australia’s Mandatory Reporting of Data Breaches regulation, businesses with a turnover of less than $3 million per year were not required to report cyber hacks.  

Meanwhile, COSBOA also found there was misconception that younger employees were more aware of cyberthreats than their older colleagues.

It said Gen Z employees (those born after 1997) were least aware of cyberthreats like ransomware and identity theft while Gen X and millennial employees in their 30s were most likely to take cybersecurity seriously.

This was important as some firms may have relied or delegated work to younger staff members on the assumption they were the most tech-savvy.

“A good first step is taking stock of who is responsible for your business’ cyber protection,” COSBOA chairman Matthew Addison said. “Don’t just assume your kids or younger employees are the safest pair of hands when it comes to online activity.” 

Other recommendations to boost cyber protection were implementing cybersecurity automation solutions powered by machine learning and artificial intelligence; implementing the Essential Eight framework recommended by the Australian Signals Directorate; prohibiting apps or software downloads by employees; performing a stress test simulating a hack to identify vulnerabilities in the IT environment; and reviewing information that is collected and stored about customers over periods of time that could be deleted.