Ever-present threats of cyber attacks are part of the price we pay for living in a highly digitalised and connected world, those who attended an Ai Group webinar last week were told. 

No one is immune from the risk; businesses big and small are all potential targets.  

“This wasn’t an issue five years ago,” Ai Group Chief Executive Innes Willox said.  

“It wasn't on the agenda, either at a board level or at a management level, but a lot has happened, and a lot has evolved very quickly. 

“Today, businesses are looking to protect and defend themselves.  

“There are questions around who to trust, who to go to for advice, what to install, who to use as partners if there has been an attack, what to do around cyber insurance — all those sorts of issues that we didn’t have to deal with five years ago. 

“The reality is that in the current world, everyone needs to be cyber-prepared because you are being attacked — either directly or through your supply chain or customer base.” 

Size matters 

When it comes to cyber attacks, size matters, an Ai Group survey of 200 businesses found. 

The findings, released today, show big businesses are twice as likely (50 per cent) to face an attack than small businesses (25 per cent) but are more likely to be prepared for an attack and able to respond to it. 

Overall, 225,000 businesses in Australia — one in five — are the victims of an attack a year. 

It may explain why Ai Group’s research found cyber security is the fifth highest ranking investment priority for all businesses, with 20 per cent of respondents declaring it their top or second priority for the year. 

Medium-sized businesses have their own challenges. 

They report higher levels of cyber concern (94 per cent) than both their large (85 per cent) and small (81 per cent) counterparts. 

Australian Cyber Security Center (ACSC) data indicates medium-sized businesses carry the highest average cost per cybercrime, losing more than $88,000 compared to $39,000 for small businesses and over $62,000 for large. 

“Medium businesses are large enough to face increased risks of a cyber incident, but they don't necessarily have the resources to address those risks in the way that large businesses can,” Ai Group Senior Research Analyst Colleen Dowling said at the webinar. 

“They are really being buffeted.” 

Staff cyber training  

Business size also affects investment in staff cyber training. 

Ai Group’s survey revealed 69 per cent of large firms and 61 per cent of medium firms invest in training but only 34 per cent of small businesses do. 

“While small businesses are less likely to have technology demands that necessitate higher levels of technology skills training, they are the largest group of businesses in Australia, so there is an obvious need to increase staff training in small businesses, owing to their number,” Ms Dowling said. 

Cyber security capabilities 

Few businesses try to manage cyber security alone. 

Nearly 85 per cent enlist support from external vendors, either by using a standalone cyber provider or boosting their in-house teams.  

“By doing this, you're ensuring you have access to the latest expertise, knowledge and technology, and it enables you to keep pace with constantly evolving threats,” Ms Dowling said. 

“Small businesses are heavily reliant on external vendors, but as they grow to medium, they start building up their resources and reducing that dependence,” she added.  

“Once they're large, their additional resources and capabilities enable the inhouse team to mostly deliver on their strategy.” 

Eyes wide open 

“It’s important we bring cyber security out into the open so we here at Ai Group can understand the magnitude of the problem and develop informed advocacy based on evidence,” Ms Dowling said. 

Thales’ Jason Brown, Ai Group’s representative on the Cyber Security Standards Committee who also spoke at the webinar, agrees. 

“We’re going to have many events in cyberspace that are disruptive, so you need to have emergency plans, crisis management arrangements and disaster recovery plans,” he said. 

“The range of threats, including deep fakes, has increased and there's a growing realisation about dependencies. You end up with a rosy picture if you haven't looked at your critical subcontractors and suppliers.” 

Don't let your guard down  

While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are advised to implement eight essential mitigation strategies from ACSC’s Strategies to Mitigate Cyber Security Incidents as a baseline.

This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.    

“If you have been attacked, reach out to the ACSC immediately to mitigate the reputational damage that might occur,” Mr Brown said. 

Introducing ISO 27001, an internationally recognised standard that sets requirements for an information security management system, is also recommended. 

“The cyber environment is constantly changing so you have to remain vigilant to keep up,” Mr Brown said. 

“Do your risk assessment and establish the vulnerabilities in your system. 

“Ask yourself: ‘What operational systems allow us to maintain our business and sustain value?’ 

“People at the top of the organisation really need to think about those ‘what ifs’. 

“What if you lose your payroll system because it's been compromised? What if you can't pay anyone because you’ve lost the records?  

“The questions keep coming. ‘What is our disaster recovery plan? What are our backups? Do we have external storage? When we say ‘the cloud’, where is the server room full of equipment? Is it physically vulnerable to flooding?’ 

“When you're looking at changing, upgrading or reviewing your system, it’s important to develop a whole series of ‘what if’ questions and as an entity, determine if you can manage this problem. 

“The hackers are always looking for new ways to take advantage of software. It’s a race.” 

▪ Ai Group is launching a Cyber Security Member Reference Group. At the inaugural meeting on Monday, December 11, Martin Ripple, General Manager, ANCA CNC Machines, will share his experience of a business cyber attack.  

Webinar host Louise McGrath said: “We want to provide a safe place for members to share their experiences and what they're learning to hopefully lift everyone's capability. We’re only as strong as our weakest link.” 

Wendy Larter

Wendy Larter is Communications Manager at the Australian Industry Group. She has more than 20 years’ experience as a reporter, features writer, contributor and sub-editor for newspapers and magazines including The Courier-Mail in Brisbane and Metro, the News of the World, The Times and Elle in the UK.