Australian Small Business and Family Enterprise Ombudsman Bruce Billson interview with Oly Peterson.
20 November 2023
On average, a cyber attack on a small business, it costs $46,000. If you own or operate a small business, maybe you work in one yourself. Have you been a victim of a cyber attack? What did it do to the business? What did it cost the business?
Bruce Billson is the Australian Small Business and Family Enterprise Ombudsman and we welcome him back to Perth live. G’day Bruce.
Oly, great to be with you and the west coast listeners.
It's good to have you on the program again, Bruce. And there's obviously been a lot of focus on these high profile cyber attacks of recent years. Obviously Medibank and Optus spring to mind. Optus obviously in the news again over the last two weeks for lots of other reasons. But underneath all of this is the fact that small businesses here in Australia will be getting more and more support because, let's be honest here Bruce, they're more susceptible to a lot of these cyber attacks.
You're thinking like a cyber criminal Oly. That's exactly what some of these nefarious cats think, that small businesses may well be less protected, may have invested less in their cyber protections, and may also be not just a target in their own right, but possibly a gateway into systems that they intersect with. Think of a small business, it might be a supplier to a major firm, and they might be plugged into invoicing and enterprise technology and the like.
So this is a really welcome move. The Government's announced there'll be two more things that will add to the toolkit.
One's a self assessment tool where you can check out where you're at and get some really good advice on steps that you can take and that are within the gift of a small business to do. So these aren’t, you know, having a whole crack team of cyber technologists sitting alongside you. But things you can actually do, very practical things you can do and make sure you're as ready as you can be.
And the second one, which is something we've been calling for, is, where's the one-on-one help in the event that you are compromised? I mean, that's a tough time to work through. It's traumatic for the business. They might be wanting you to pay a ransom. They might have some other things going on. Someone who can get alongside a small business to help navigate that incident response and hopefully recovery. That's going to go out to tender. That's a very welcome measure and one that we've been arguing for.
Because when I was reading some stats a little bit earlier, Bruce, and you’ll correct me if I'm wrong here, but a small business in Australia is attacked every 6 minutes, so there's going to be ten of these in the next hour.
It's frightening. And then you look at the costs. The Cyber Security Center for the nation estimates it's about $46,000 per incident. But let's also remember, many never recover, Oly. I mean, if you lose control over some of your vital data or your back-end systems are compromised, not to mention how your customers might feel about it. I mean, you and I, being athletic gents, might be running a gym and we've got our information about our clients. And if that's compromised, they might think I’m not going back there.
So, this is where we've been saying, let's join up a few things that are changing right now. There are expectations of small business around privacy and information management. Then there's other things that are happening in the economy, like the Consumer Data Right. Sounds quite funky, but it's basically where consumers can say to certain service providers, how about you give me the info you got on me so I can go and check around with other service providers to see how I might be able to get a better deal.
So these are all things happening at the one time and we're saying these are all challenges for small and family businesses. Let's get alongside them and provide this support to navigate these times as best we can.
Because laws continue to evolve and change as you’ve said Bruce and the scammers become more and more sophisticated, so the knowledge you might have had six months ago could actually be out of date.
Yeah, that's right. And the tactics shift as well. I mean, around this time of year, you’re starting to see the scammers pushing out Cyber Monday sales offers. Around tax time they try and mimic the Australian Tax Office as if you've got some advice, you click on it and before you know it you've downloaded something you really don't want in your system.
And something that most small businesses, I think, are growing awareness about is what's called the invoice substitution scam. The cyber criminals get into your system, you go and send an invoice to somebody for a big number, like an instalment payment on a house build, and they just get in there and change the banking details. And so it lands in the customer's inbox, looks legit. They're expecting the bill. It’s come from the people they expect. You go and pay $90,000 as a building instalment and it goes off into cybercriminal hands, probably gets converted into crypto within about five minutes and these jokers run off and you’re left there having done your dough but you also haven’t paid the business that you're dealing with.
So these are some of the changes. Things like eInvoicing can help in that space. I know some people do what I do, Oly. If it's a big number and I can't afford to have it get pinched, I'll ring up and check the account details to say, is this still the right account? Are details different from last time? My little Spidey senses are telling me I need to do a little extra step. That's all the changing nature of commerce at this time when cyber criminals are looking to take the advantage.
And it must be said Bruce, the banks are also starting to roll out new technology. They like to tell us about it in real time to give people an opportunity to think twice about that bank account, which is important. But we've got to have our antenna up on these things. And seems we’re just all fighting against the tide at the moment. It is difficult to navigate.
We're going to have to get the best of everybody. Now, that means you and me as individuals, we have to have our wariness up and we have to listen to our Spidey senses. For business owners, you don't leave the door open with the light on at night when there's no one there. You take certain steps and safeguards that you're able to do.
The telcos are trying to do what's called a clean pipe initiative, where they cut off a lot of the traffic through the telecommunications infrastructure. And as you mentioned, Oly, the banking system are really stepping up. I mean, they do this in the UK where the bank account details you think you're sending money to, if it doesn't correlate with the BSB and account numbers, it basically goes woop, woop, woop, woop. This isn't probably your best idea. Check it out.
That's an integrated response. And then sitting beyond that, you've got some real specialist expertise. And as was identified through this announcement that the Government's made, a welcome announcement, tooling up and better supporting small business to navigate these times.
And the best starting point is, Bruce, is probably the Cyber Security Centre?
I reckon that's probably a good spot. That's where many tools are available. There's even some helpful guides. If you are a business that handles other people's information, how can you best do that? Some of those self-assessment checklists are there as well. And you can get a little bit more info about the kind of tactics these nefarious cyber criminals are deploying so you can have that situational awareness to best as best protected as you can be.
Alright, cyber.gov.au that is the website. Bruce good to catch up with you, we will do it again soon.
Always fab to be on your airwaves. Take care and best wishes to your listeners.
Bruce Billson, there, the Australian Small Business and Family Enterprise Ombudsman.