Meet the panel
The panel Q & A
As a small business owner, what do I need to do to ensure that my IT is actually protected?
A lot of small businesses that we come across their IT systems are a bit like Swiss cheese, plenty of holes in them.
- So NUMBER 1: plug all the holes in your IT Systems
- Enact policies and systems to systematically look at IT security.
- Train your staff to be vigilant
- Change your passwords regularly
- Make sure you’re passwords are complex (Lots of different characters, numbers and special characters)
- Implement two factor authentication to further protect your online accounts.
- Look at antivirus. About 80% of small businesses think they’re protected with just antivirus, that’s not true anymore. You actually need to have things on top of your antivirus, advanced files in your office, and advanced technology on your systems to provide additional protection.
What are the things you should be looking at from a website perspective? What protection is needed there?
The key one that has been in the headlines this year is having SSL, site-wide SSL certificates. Making sure that your entire site is secure.
That’s that little lock that you see on sites. Everybody should have that now but there’s still a lot of people who don’t.
And Google cares! I spoke to a business this afternoon who’s just left their SEO provider because they hadn’t been advised they needed to have site-wide SSL certificates and they’d dropped out of virtually all the search rankings.
There’s a lot of free ones now. But it’s not expensive anyway. We’re talking about $150-$200 a year at the most.
From an Insurance and Risk point of view: Do all business sizes need to worry about cyber risk?
The short answer is YES!
- Small businesses are easier targets because they don’t have processes in place
- Larger businesses are often targeted through small business contractors.
- Consumers are very aware of their privacy, small businesses need to worry about their reputation.
- Many larger businesses won’t sign contracts with small businesses if they don’t have specific information security protocols in place.
- Many insurance policies don’t provide adequate cyber protection – you need to check.
It’s much better to talk to a smiling insurance person before anything goes wrong because there’s never a smiling insurance assessor!
From a legal viewpoint, what do you see as the most significant legal risks for businesses in relation to cyber?
I think that the most significant is the employee and human side of things. The two main elements are:
- employee ignorance and neglect on the one hand and
- employee unhappiness on the other.
So, it’s all about making sure your employees understand the risks and making sure that you educate them. And dealing with the toxic employees and keeping them happy so that you don’t end up with internal breaches.
Am I protected as long as I do daily backups?
Well, that’s the attitude that cyber criminals are hoping you stick to. There have been cases where hackers have:
- Hacked into the backup as well and purged that too
- Hacked into your data and encrypted it
- Got into the CRM system and stolen confidential client information.
So the short answer is, yes, backups are absolutely important and necessary.
But you need to have a multi-pronged approach to security which encompasses lots of different ways of keeping your data secure. Most of those things aren’t difficult or that expensive, but relying on one single thing to serve and protect you is not enough these days.
How real is the risk, really?
It’s very real… every day small businesses are being hit.
Last year it was ransomware, when people were affected by not being able to operate their business for a few days. That can obviously add up to thousands and tens of thousands of dollars.
This year it’s all about people infiltrating your email accounts and waiting for the perfect time to get that email with an invoice, change the details so the account details are different, tricking someone into paying money.
I’ve had a client lose $50,000. One I read about a few months ago, which was for really big money, and lots of smaller amounts. All came about from an email being hacked.
How many of you can afford to have $50,000 taken out of your cash flow? Even if it’s covered by insurance.
Peter, how many weeks would it take to pay out on an average insurance policy, to pay you back for that?
It can be quite a long time, particularly with those crime ones.
As to the earlier question about do normal insurance policies cover it? A lot of small businesses will have things called commercial crime policies, a lot of those policies actually have exclusions for cyber criminality.
What insurance cover do we need? Is it just for the data being lost?
There’s a huge amount of data and that’s obviously what we want to protect. But it’s more than that.
I have a lot of clients who are in manufacturing, health and financial services and they use some really old Legacy systems. You can’t just press Windows update and it loads. You’re talking about the physical loss of machinery, potential fire hazards, people being injured.
And there are other financial losses. One of my clients had their electricity bill go up to the tune of about $480,000. Their systems had been hacked and were being used to mine Bitcoin. They had seven large servers which were basically just sitting there for months on end running at about 70%.
It’s not like buying car insurance. Your policy needs to specify exactly what systems you have. and what cover you need.
What do you think is probably the most significant technology factor out there that will affect the legal liability of businesses?
I think that the so-called internet of things is the most exciting and the most scary thing out there.
Simply put, the internet of things is all of the interconnected electronic devices in the world. So, perhaps an example there might be you have access to the security system in your factory through your mobile phone or your Apple Watch.
There was an interesting situation a few months back with a company somewhere in North America, a mainframe in a casino was hacked through a thermometer connected to the internet in the fish tank in their foyer. The hackers accessed their mainframe, and found out who all their high level punters were, through a thermometer.
Another example: a law firm in London with 2,000 employees in their city office, have forbidden anyone who has an iPhone to use Siri because it’s well known that Siri is feeding information back to a server in the States.
Another example. I’ve a colleague in the US who has recently been asked to do some work with drones for the Defense Department. They’ve told him that he couldn’t use a certain part of the drone because it’s manufactured in China and they know that information from the drone is going back to a server in China.
Okay. So I’m gonna look to for some help here because so far:
- we’ve heard that the insurance policies that we think we’ve got is probably not going to do us any good
- and that my Apple watch is going to scheme to get me later.
So, Ian tell me, when you see this from a brand identity and an online presence, you know, what does it matter in that regard?
You’re looking to me for positive news?
Well, you can’t back up your search rankings, we’re praying to the Google gods essentially.
But there are a number of things you can do to avoid those disastrous days:
First, maintenance. Don’t just set and forget your website:
- Look out for bad back links; gambling sites, bitcoin, porn sites or the like.
- Watch out for duplicate pages or even duplicate sites. I met with an IT company who wanted us to do SEO for them and in our auditing we found that they had another website that they were unaware of, 300 pages, and it was due to a virus. So it could be right in front of your eyes but be slightly outside of your area of expertise.
- Even just checking that your site is still there.
Second, brand consistency:
Google is moving more towards rewarding you for being a good brand and for being positive in the content that you put out there, more of the reputational-type activities, and if you’re doing that consistently over a long period of time, Google rewards you for that.
Where the positive content and building your testimonials and your case studies with clients also comes in, is if for some reason you do get 50 fake reviews on Facebook, which has been happening a lot lately, just in half an hour, suddenly 50 fake reviews appear from nowhere, you’ve actually got some good reviews or some history there for that to look like an anomaly, not to look like that’s the only representation of you online.
And Google have now introduced something in their algorithm where if you do get a lot of bad links in a flurry they don’t count those links. They only count the good ones or the ones that are worthwhile counting.
Third, be aware.
There are so many businesses that we work with that don’t even know they’ve got a bad review or they don’t even know that they need to update their WordPress plugins or there’s a lot of really, really basic aspects where things go wrong and it’s always actually quite simple. It’s maintenance and awareness.
- Monitor your social media
- Set up Google alerts for your brand, for your brand name and for the key people and thought leaders in the business.
- track whether your site is going up and down, if it’s going up and down several times within an hour you’ve probably got some sort of brute force attack. Someone’s trying to hack into your website.
So what should I do if I’ve had a cyber attack?
Don’t panic, first of all. Possibly a bit late for that. I’d call the insurance first, get your checkbook out and then call your lawyer.
- First – work out if an attack has actually occurred. Like with an email you may not have clicked through far enough to have triggered the attack..
- Once you have established that you’ve got a problem and you’ve been attacked, you’ve got to look at where has that come from so you can lock down where the threats come in.
- If it is a phishing attack, change passwords.
- if they’ve hacked in through your server it might mean turning your server off, pull the internet out, whatever, to break that contact.
- and then you’ve got to establish what damage has been done.
- The more prepared you are the better you are to respond to a cyber attack. Make sure your staff are trained and prepared. Who do they call for advice? What steps do they take?
- You should already know if you fall under the Notifiable Data Breach Scheme and what your responsibilities are under that legislation and that means you can respond quickly, you can respond in a way that minimizes the damage and minimizes the cost and gets you back operating normally as quickly as possible.
Is it possible I wouldn’t know?
It’s happening more and more now that phishing attacks are on the increase and Peter mentioned the crypto mining thing.
The cyber criminals are getting so sophisticated now, they’ll hack an email account, and sit there for months sometimes, watching email traffic, learning the behavior of the user, learning the language they use, who they deal with in terms of suppliers and stuff, waiting for the perfect time to pounce and intercept that email with an invoice or something, before they might actually do the attack. So it’s really quite scary the lengths now that they’re going to secure your money. So you might not know you’ve been hacked.
A lot of it goes back to preparation. Things like monitoring your email logs so you can be aware of unusual behaviour.
Peter – Cyber insurance is it a necessary purchase?…
The reality is that buying a cyber policy to deal with cybercrime is kind of like buying an insurance policy on your car but never learning how to drive. Necessary but not enough!
What’s going to stop the need for a claim is engaging the service of the guys next to me. They’re the guys that are going to identify the risk in the business, mitigate it, work with strategies, work on the engagement with staff.
From an insurance perspective, 80 to 90% of the claims that are paid under cyber are actually avoidable because the staff havn’t been engaged. They don’t actually understand, they don’t look out for phishing emails.. So it’s all about your mitigation.
And once you’ve done that then you’re in a much better position to identify what you actually need to insure.
So should you buy cyber insurance? Yes! But there’s a lot of work that goes with it, it’s not just filling out a form.
To put a happier spin on it, we’re finding companies that are getting ahead of the curve on this, they’re actually winning more contracts because they’re talking about the risk proactively and putting it in their tender documents or proposals
Sometimes, you may need to purchase it under the contracts that you sign with clients and with suppliers.
When you get new software, some software companies now stipulate in their terms and conditions that you need to have a cyber insurance policy.
The one thing that you really do need to do is engage your IT people, engage your lawyers and engage with a good risk advisor to help you with all this.
Harvey – from a liability perspective?
People tend to trade through corporate entities because they have the protection of a separate legal entity. But it’s not really as simple as that.
I think it’s going to become more prevalent that directors are going to be on the line because ultimately they’re the managers of the companies. It’s known as the business judgment rule, that directors have to show due diligence and care in running the business and good cyber security policies are one of those issues.
So I think we’re going to see a lot more of that where people aren’t just going after the company, they’re going after the directors and/or employees as well.
So as a small business owner, how often do I need to review my security?
Not that comfortable. Sorry Stewart to be the bearer of bad tidings. Everyone knows the technology is moving faster and faster and cyber crime, unfortunately, is part of that.
And the landscape is changing so quickly that what were big threats last year are no longer the big threats this year.
A yearly review is almost not enough, but a yearly review at least grounds you, let’s you look at what the latest threats are and I’d say having a trusted IT expert to raise anything that comes up that might be something you’ll need on the horizon.
So for the average SME I would say 12 months review and then keep your eyes open and talk to your IT experts about any threats that are coming up that you need to protect from because it’s not something you just set and forget.
So the final question to the Mad Scientist: Where to from here? What do businesses really need to do to stay ahead?
Be educated, be proactive. don’t wait for disaster to strike before you act.
Stop blaming Google for everything, because Google actually enables us to search the world’s information. We, as the searchers, have an obligation to figure out how to use a search engine. Learn about how this thing works and how you can use it better and protect yourself better.
Align with a good digital agency, they will be your insurance policy because they’ll warn you of some of the things that are on the horizon. A lot of the things that I end up fixing could be avoided just with a little bit of education.
Meet the host
Stewart Clark, Founder and Principal coach of SCS Performance
SCS performance is a specialist consultancy firm delivering a specially designed range of coaching programs to the small to medium business market - to drive bottom line return.
Stewart is an energetic and experienced business adviser with many years of experience coaching, advising and supporting small and medium sized businesses across Australia.
Leveraging a lengthy career in finance and corporate business, Stewart has worked "in" or "on" a range of businesses and industries Australia wide.
Possessing a people-oriented style and a keen eye for detail, Stewart is well versed in strategic planning, financial analysis, sales delivery and business improvement. Stewart is also a published author of “It’s not what you make, but what you keep” and is a regular speaker.
Unlike a traditional business coach, Stewart focuses on enhancing the mechanics of a business – its people, its process and its systems – to achieve long-term business success.