As Aussies prepare to trade their keyboards for beach towels this summer, a less festive group is gearing up for peak season – cyber scammers, the Grinches of the festive period for small to medium businesses, so how can you make sure your business stays safe? 

In a recent survey conducted by Microsoft, it found only 8 per cent of small businesses in Australia and New Zealand had managed to evade cyber incidents. With the Australian government allocating over $18.2 million to help SMBs improve cybersecurity resilience and response to cyber-attacks as part of the 2023-30 Australian Cyber Security Strategy, it’s evident that cybersecurity hygiene has become an issue that businesses need to prioritise over the next few years.

There are several reasons why this time of year is especially risky in terms of cybersecurity. Retailers and hospitality businesses will be ramping up for the busiest time of year, hiring temporary seasonal staff who don’t always have the same familiarity with security processes (or worse, share logins), and simply seeing much higher volumes than usual. Meanwhile, other businesses will be operating on a skeleton staff or closing down for the break, potentially leaving the digital back door unguarded.

Scammers and cybercriminals know exactly how to time their attacks to tie in with these kinds of events, whether it’s crafting emails that look cleverly like a Boxing Day deal or masquerading as an urgent Microsoft alert about a “cyber breach” when you’re at the beach. Especially in the age of AI, with threats evolving all the time, it’s essential to always remain vigilant about cyber threats.

So what can Aussie small and medium businesses do to help stay safe over the holiday period, and what should they look out for?

Many of the usual rules apply to small businesses as to regular consumers –

• Avoid clicking on links in emails – always check the official website of the organisation to make sure a deal or a notification is legit, especially if it wasn’t something you were expecting.
• Set up multi-factor authentication – when websites and services offer the option of receiving a code or logging into an app to verify your identity, do it. Microsoft has found that this stops 99% of password-based attacks in their tracks.
• Keep your tech up to date – When your device is asking you to update to the latest version, most of the time these updates contain security fixes which are there to plug the security holes on your device. The sooner you can update your device the sooner you are protected.

However, there are a few extra things businesses can do to ensure their cyber security processes are as robust as possible:

• Adopt the Essential Eight – The Australian Signals Directorate has guidelines for businesses to boost cyber resilience which is broken down step by step. As well as MFA and regular systems updates, this includes restricting administrative privileges, restricting applications and web browsers from running certain kinds of scripts, macros or ads that can contain malicious code, and automatically backing up data. There are a lot of different recommendations under each step to help make your systems and data even better protected.
• Implement and test your rapid-response plans regularly – Concerningly, there is significant underinsurance for cyber risk in Australia as only about 20% of SMBs and 35-70% of large businesses have cyber insurance, which makes having a rapid-response plan – a set of instructions designed to help companies prepare for, detect, respond to, and recover from network security incidents – even more important. A good plan should always include regular crisis simulations – every six months – to test different aspects of the cyber response. This is crucial to ensure all processes are working smoothly in a whole range of different scenarios.
• Develop a cyber recovery strategy – The key rule of thumb is to always assume you’ve been breached – the Zero Trust approach. While 90% of SMBs estimate that they will recover from a cyber incident immediately, reports to the Australian Cyber Security Centre (an average rate of one report every 10 minutes) show that businesses commonly underestimate their cyber incident recovery period. Rebuilding is actually the most challenging, and lengthiest, part of dealing with any attack, and having a plan to get back on track should disaster happen will save months of hassle (and potentially a great deal of money).
• Harness AI – AI is being widely adopted, and that includes by cybercriminals too. Generative AI can help produce more professional-looking scams. Just as some cyberattackers use company websites to get the names and contact details of senior staff, then spoof their email addresses to trap employees with “urgent” requests, we’re likely to see more personalised attacks. In future, AI will increasingly be used to gather details from social media accounts to target people more effectively. Employing AI tools to counter AI-powered criminals will be core to a solid defence, so make sure to ask your IT provider about the tools now available.

While there’s never a 100 per cent foolproof way to keep the cyber-Grinch from your door, taking these steps will help keep tills ringing and stop unwelcome guests from coming down the chimney this Christmas.

Want more? Get our newsletter delivered straight to your inbox! Follow Kochie’s Business Builders on Facebook, Twitter, Instagram, and LinkedIn.