New data reveals how cybercrime is impacting SMEs

The latest report from the Australian Signals Directorate (ASD) has released alarming statistics on the state of cybersecurity and the impact of cybercrime on small businesses.

According to the data, small businesses are becoming an increasingly lucrative source of revenue for cybercriminals, with the average cost per incident for small businesses totalling a staggering $49,600. This is an increase of 8% on the previous year. On the other hand, the average cost per reported cybercrime on medium and large businesses dropped.

In addition to this, both new and old cyberattack strategies seem to be causing SMEs plenty of problems.

The data gathered by the ASD gives us an insightful yet troubling picture of the cybersecurity landscape in Australia and what this means for SMEs trying to navigate the challenges of business in an increasingly connected world. So, how can you better protect yourself and your business from cyberattacks?

The most common types of cyber threats facing Aussie SMEs

In the past year, the ASD answered over 36,700 calls to the Australian Cyber Security Hotline, which was up 12%. In addition to this, a total of 87,400 cybercrime reports were received.

The top three types of cybercrimes most reported by businesses were:

1. Email compromise (20%)
2. Online banking fraud (13%)
3. Business email compromise fraud (13%)

On top of this, 11% of all incidents responded to included ransomware, which was up 3% from the previous year.

What kinds of businesses are being targeted by cybercriminals?

The vast majority of attacks are focused on government agencies (49%). However, other industries were very evenly split between one another, with healthcare and social assistance businesses the third highest targeted (6%).

Healthcare providers can be very lucrative targets for cybercriminals because the data they hold is so sensitive – think client medical histories and personally identifiable information.

However, any business that retains customer data on file can become a target for hackers. For example, a private tutoring business could have student names, addresses and dates of birth on file; while an independent engineering consultant could hold sensitive information like proprietary designs and patents in addition to client payment information.

This is the kind of valuable, highly sensitive information that cybercriminals are after. Small businesses are seen as easy targets for many cybercriminals, because they generally have less robust cybersecurity measures in place compared to large corporations or government agencies and the data they hold can be just as valuable.

New cyberthreats on the horizon

As if there weren’t enough things for SMEs to worry about, the ASD’s report has identified new, emerging cyberthreat trends that could potentially harm your business.

AI-driven cyberattacks

The ASD reports that cybercriminals are increasingly using AI to carry out cyberattacks. These AI-driven threats are making it harder to detect and prevent attacks, as AI allows criminals to automate and refine their strategies. Some examples of AI-driven cyberattacks include:

• Automated phishing scams
• Malware generation
• Brute force attacks
• Exploiting software vulnerabilities
• Creating deepfake technology (more on this below).

Quishing

The humble QR code rocketed to fame throughout the COVID-19 pandemic. It’s still widely used now by many businesses – including everything from digital menus and ordering systems to customer surveys and feedback. However, cybercriminals are now capitalising on the QR code’s popularity with something called ‘quishing’. This is a type of phishing attack where cybercriminals use QR codes to trick people into providing personal information or downloading malware onto their smart device.

Deepfake technology

A deepfake is a type of AI technology that uses machine learning to create highly realistic and believable – but fake – audio, video or images. You’ve probably seen deepfake videos before which were created just for fun, like recreating famous scenes from movies with altered dialogue.

However, deepfakes can also be used to spread misinformation and are also used in fraud and scams. For example, if you saw a video from a trusted and respected professional in your industry telling you to invest $10,000 in a new and highly profitable project, would you be tempted to do as they asked? How would you know the video was fake?

As the malicious use of AI continues to transform the cyberthreat landscape, individuals and businesses need to be wary of deepfake scams.

Proactive measures you can take to mitigate cyber risks

You can reduce cyber risks by making smart investments in certain areas, such as implementing strong cybersecurity measures and taking time to educate staff on common threats. Taking strategic steps towards protecting your business’s future and your customer’s data can be a worthwhile investment in the long run that saves you time, stress and money.

Cybersecurity tools

Antivirus software, firewalls and endpoint detection and response (EDR) tools are all ways that you can improve your cybersecurity measures. Here are few places you can start:

• Antivirus and malware protection software: Designed to monitor, identify and remove malicious threats before they become a problem.
• Firewalls: Creates a barrier against unauthorised access to your network.
• EDR tools: Monitors device activity and flag suspicious behavior.
• Multi-factor authentication (MFA): Uses multiple levels of security to protect sensitive data (such as using a password to sign in, and then also sending a prompt to a separate phone number or email).
• Data encryption tools: Encodes sensitive data, protecting it from unauthorised access.
• Patch management tools: Automates updates and patches to address software vulnerabilities as soon as possible.

Employee training and awareness

Your employees are often the first line of defence against malicious cyberattacks. One of the simplest ways you can help protect your business is by training and educating your employees on the various risks that cyberthreats represent.

Regular training sessions should focus on things such as identifying suspicious emails, always verifying links before clicking, using strong passwords, and not downloading unauthorised software.

Social engineering is also be a problem, where cybercriminals exploit trust and behaviour to manipulate employees into revealing sensitive information or giving unauthorised access. The ASD’s report found cybercriminals are continuing to use AI tools to conduct increasingly targeted attacks on individuals, including social engineering attacks.

By educating employees about common social engineering tactics, you can help to reduce the risk of a social engineering cyberattack.

Cyber Liability insurance

Despite your best efforts, you could still become the victim of a cyberattack. This is why many small business owners choose to take out Cyber Liability insurance.

Cyber Liability insurance is designed to help protect you from claims and support your profitability in the event of a cyber breach or attack. Costs associated with defending a cyber claim are also covered.

Examples of the types of risks Cyber Liability insurance can assist with are unintended loss or release of customer data, ransomware extortion and business interruption due to a cyber event.

Key takeaway: SMEs need to remain vigilant when it comes to cyberthreats

Cyberattacks are an ever-evolving threat, and small businesses are increasingly becoming prime targets for cybercriminals. However, by staying up to date with the latest news and trends, educating yourself and employees, and investing in the right kind of cybersecurity tools, you can better protect your business from costly cyberattacks. And while no business can guarantee 100% protection, a combination of these things, plus Cyber Liability insurance, can help to provide you with extra security and peace of mind when it comes to the rising threat of cyberattacks.