Cyber attacks occur at the rate of one per second in Australia, with breaches per capita more than double the global average.

Qantas, iiNet and Louis Vuitton are just three well-known companies that suffered data breaches in July and August, as this story was being prepared.

There is no argument that the defence sector has an escalated need for bulletproof security – but the burden and cost of upgrading systems for SMEs can be daunting.

“Unfortunately, cyber security is always viewed as a cost to a business,” said Chris Self, Chief Operating Officer of MyEmpire Group, which chiefly assists Australian and British companies to mature their cyber security.

“Organisations and small business owners have to realise that if they want to be in the defence sector, they need to do something with cyber security.

“And it doesn’t necessarily have to be gold plated but there is going to be an expense to make sure they are protecting their environment and Defence data better.

“Determine the holes you need to close and then you can invest money in the right areas.”

Salient Lesson

MyEmpire Group rose from the ashes of DistributeIT, a booming domain registration business, which was brought to its knees in 2011 by a local hacker whose sole motivation was to showcase their cyber skills.

Co-owners Alex and Carl Woerndle lost everything.

“They lost the whole business in the space of two to three weeks. The personal impact was significant.”

It’s why when assessing the need for a cyber uplift, Chris said first and foremost, business owners and operators need to ask themselves the question, what have I got to lose?

"What are the key things that make your business a success and how do we protect those things?

“If you lost those key things, can your business operate without them? What is the impact?

“Once we understand what is important and the risk, we can do something about it.

“By not having foundational processes, people controls, and good technical control, what does that leave open?

“If there is a significant risk, then that’s what we are trying to mitigate.”

C-Suite and Board Risk

Boards and CEOs, he said, have the most to lose.

“There are liability elements and responsibilities at that level that they need to be aware of.

“AICD (Australian Institute of Company Directors) has reference materials around cyber considerations for boards and CEOs, asking Does the organisation understand their risk? Are they testing those controls?”

Cyber insurers demand a minimum level of cyber security.

“If you don’t have multi-factor authentication applied to your environment, you may not even be considered for cyber insurance.”

But the financial cost of hardening a business’ cyber defences varies greatly, depending on its size and specific requirements. But it’s never a one-time investment.

“You will need resources that can implement those cyber requirements inside your organisation, whether your own IT staff or external support. There will be upfront technology costs. And then you’ll need to consider your run costs because you still need someone to operationally patch or remediate those vulnerabilities once uplift has been implemented.

“The on-going run cost of newly implemented technology or a cyber security program is the big one that typically gets missed. It can be done internally or supported by an organisation like us.”

Chris said a level of government funding for SMEs would be useful, not just to encourage them to join the sector but to ensure appropriate mechanisms remain accessible to support ongoing cyber security uplift or maintenance.

“What we need to think about is the weakest link  concept.

“Some level of funding to support how to raise the baseline for everybody in the supply chain.”

Evidence of the implementation of certain minimum cyber security standards is essential.

“With government in particular, there is more and more emphasis being placed on having good cyber maturity.

“If you can appropriately hit and demonstrate a minimum, I think that will start providing a competitive edge.”

He said Australia’s Defence supply chain has settled on Essential Eight to support a technical control baselinebut it’s not a case of one size fits all.

His view is that Essential Eight is a “reasonable starting point”.

“It’s a strong technical framework, it really drives technology control uplift, but it doesn’t touch much on the other key capabilities – appropriate governance, appropriate risk considerations or the people element. With so many different standards and certification schemes globally, it’s challenging for small operators to know where to begin.

“There’s so much overlap with the frameworks for SMEs to decide which way to go, what to focus on and how to pick the right controls to manage risk within an appropriate budget.

“This just adds confusion about what to focus on and choosing what make sense to the SME.”

Targeted Investment

That’s why Chris believes SMEs need to have a target in mind, or focus, when investing in cyber security.

He said he would prefer organisations spend on practically uplifting their capabilities through technology, third party systems and process rather than solely focussing on a compliance obligation.

“If certifying to frameworks provides you with a commercial competitive advantage then by all means pursue certification. However, if not, simply aligning to a chosen framework, initially I think that is a huge win, especially for SMEs to help focus investment.”

The key, he said, is to tailor cyber investment specifically to the needs and risks of the business.

“Unless you require certification, I think you should be flexible in leveraging different parts of different standards to suit your organisation and the risks you’re trying to mitigate.

“While the Essential Eight is a great starting point, you’ve got to start thinking a little bit more broadly than that. A new framework, SMB1001, is trying to bridge the gap by providing more specific guidance incorporating technical and process controls aimed at smaller organisations. And Essential Eight controls can be merged here too.

“Even if you start at Maturity Level 1, something is better than nothing and then you can build upon this baseline.

“But it is not bulletproof. Nothing is in cyber.

“The balance is being secure and productive as a business and that’s going to be unique to each of the SMEs.

“But if they can start holistically thinking about security across their business, having that right cultural mindset, embedding good cyber security culture in the business, user training, developing the right policies, all of those little factors contribute to greater maturity and managing risk and what is important to that business.”

That then leads to establishing confidence within the sector, opening up greater business opportunities.

Investment

“It’s just a cost you need to consider,” said Chris.

“Hopefully the budget you put aside for enhancing your security capability creates that competitive edge, which creates increased revenue.

He explained that Defence would always assess the risk an SME poses to supply chains.

They would view positively evidence that a company:

• Understands the risks and assets they need to protect

• Are taking the right actions to understand where they fit into that supply chain

• Has a proactive approach to manage their cyber security maturity and risks.

“As long as SMEs are starting to leverage the intentions of what’s in the Essential Eight to implement the right controls, I think that would help move that dial forward.”

It’s about being thorough, he said, not just for the protection of your own business but across the sector.

“What we should really be focusing on is how do we get the right support to SMEs to understand what is needed for the entire supply chain do a little bit better, to make it harder for an attack, trying to close those hygiene gaps, such as timely patching of their internet-facing services. And ultimately uplift that supply chain baseline!”