Does Australia’s cyber security strategy 2020, released by the Home Affairs Department today, go far enough to address the cyber resilience of the nation’s small and medium enterprises? The Australian SME sector comprised more than 2.3 million businesses as at June 2018, representing 9.8 million jobs, and in 2017–18 accounted for around a third of gross domestic profit.
A survey of small and medium businesses conducted by the Australian Cyber Security Centre in 2019 found that the sector is highly vulnerable to malicious cyber activity. It was the first cybersecurity survey by the federal government focused exclusively on the SME sector.
Only 1,763 businesses responded to the survey, which represents less than 0.1% of SMEs. Nevertheless, it is a landmark report that warrants some attention and consideration.
The 2020 cybersecurity strategy re-emphasises the importance government places on improving cybersecurity resilience. But the key question remains, why are SMEs still struggling to achieve effective cybersecurity standards?
The ACSC’s survey report confirms that a large proportion of Australian SMEs are likely to have inadequate cybersecurity practices in place. Given that the sector is a substantial contributor to the Australian economy and plays a crucial role in various supply chains, including ones with access to sensitive public and government information, this vulnerability represents a significant national risk.
The report indicates that most SMEs know they are exposed to cybersecurity risk, but they don’t really understand the underlying threats or the vulnerabilities leading to that risk. The reality is that most SMEs also don’t understand how cybersecurity risk translates into business risk.
This is a significant barrier to improved cybersecurity because, without a realistic understanding of the risks they face, SMEs are unlikely to make smart choices to address them.
A good example of this is the ACSC’s own Small business cyber security guide. It discusses threats and a range of cybersecurity measures, including threat protection, vulnerability reduction and risk mitigation. However, it’s not easily translated into the layman’s language of SMEs.
Business owners need clear and succinct explanations of the threats that apply to them, the vulnerabilities they need to address and the associated business risks. That needs to include industry-specific examples.
The survey report concludes that SMEs may not be getting the level of protection they expect from using outsourced cybersecurity providers, which is likely having a negative impact on the adoption rate of those services. Small businesses should be encouraged to outsource their cybersecurity functions, but they need guidance on choosing a suitable cybersecurity service provider. They could benefit from references such as the Managed service provider better practice principles, released in December 2018 by the ACSC.
Government messaging has also been a problem. Despite there being plentiful cybersecurity information available online from federal and state governments, there’s little consistency in format or content. The new cybersecurity strategy proposes that the Australian government ‘work with large businesses and service providers to provide SMEs with cyber security information and tools’. However, there would be great benefit in standardising the information and tools and ensuring that SMEs know where to find them and how to use them.
Cybersecurity guides tend to take a broad-brush approach to recommended actions. Breaking that information down into smaller, focused areas, with clear achievable actions, might reduce complexity and confusion. A good start would be a short guide focusing on email, with an explanation about the benefits of a custom domain name, which surprisingly many SMEs still don’t have.
Another major issue to consider is the limited spending by SMEs on cybersecurity, which the report links to their low annual turnover. While there’s no denying this is a factor, made even worse by the pandemic, a more likely reason is the priority a business places on implementing cybersecurity. Even though 80% of SME respondents rated cybersecurity as ‘very important’ to their business, spending on cybersecurity must still compete with many other financial demands that are rated ‘essential’. Most Australian SMEs don’t see spending on cybersecurity as an imperative.
Ultimately this attitude must change, and the government must be the driver of that change, through proactive influence. For example, the UK government offers the cyber essentials scheme, an incremental maturity model applicable to SMEs. The scheme has been in operation for more than five years, and provides an assessment framework that can be adopted by businesses of all sizes. Businesses can become certified through a self-assessment process or can opt for a higher level of certification based on an independent audit. Australia’s new cybersecurity strategy doesn’t include such a toolset.
The 2020 cybersecurity strategy includes welcome enhancements to the recognition of the vulnerability of the SME sector and a range of new initiatives. The sector is more than just the individual owners, employees and outputs. It’s a key piece of our overall national cybersecurity resiliency, with unique problems that require targeted solutions. The next 12 months will be critical to seeing these targeted solutions designed and brought to life.