National cyber resilience strategy needed to protect Australia’s small businesses
10 Jul 2020| and

Australians have learned severe lessons with the disruption of public health management during the Covid-19 pandemic and its social and economic consequences. Now, the nation has been alerted to serious cyberattacks, which Prime Minister Scott Morrison said were carried out by ‘a sophisticated state-based cyber actor’.

There’s also been an increase in such attacks on individuals and businesses by criminals using the pandemic as cover.

Given these increasing national security threats, we must take very seriously the state of cyber security in Australia. What happens if a key part of our economy is badly unprepared for malicious cyber activity? What impact might a successful attack have on the nation?

Small businesses make up a third of Australia’s economy. They are defined as having an annual turnover of less than $2 million or employing fewer than 20 people. They are inherently diverse, ranging from childcare and healthcare centres, to government and industry suppliers.

The pandemic has illustrated the importance of childcare to working parents. Consider the national impact if all of Australia’s childcare centres were suddenly unavailable. A concerted cyber campaign that closed down thousands of centres would have serious consequences for entire communities, with major implications for governments.

Other potential targets for malicious actors could be the health practitioners who have access to the sensitive data of nearly all Australians. The impact if this data were stolen and if the practices were unable to operate could be devastating.

And might poor cyber hygiene in a small business with authorised access to Defence Department networks provide an enticing ‘back door’ to our military secrets?

While large enterprises in Australia have generally enhanced their cybersecurity measures in recent years, small businesses operate in a very different environment. Big firms typically have dedicated IT staff and detailed information-security policies and practices.

In contrast, small businesses often have just enough staff to deliver a particular service, tight budgets and time-poor owners who might also manage the IT despite having a limited understanding of cybersecurity principles.

The reality is that most small businesses are highly vulnerable to malicious cyber activity. The Australian Cyber Security Centre has been warning of this, particularly during the Covid-19 crisis. It has issued advisory alerts outlining the increasing threat posed by criminals using Covid-19 themes and taking advantage of society’s distraction and uncertainty during the pandemic to carry out attacks online against individuals and small businesses.

The inaugural Australian cybersecurity strategy was released in 2016 to help Australian businesses boost their cyber resilience. The strategy noted the importance of the sector to the nation, and its vulnerabilities.

Attempts to turn that intent into tangible outcomes have been disappointing to date, as shown in the findings of the Cyber Security Centre’s recently released small business survey.

The government needs to provide more sophisticated leadership in this domain—to encourage small businesses to enhance their cybersecurity for their own sakes and so that they can strengthen national cyber resilience.

The government has mechanisms it could use to stimulate this outcome. The right policies might encourage the designers of new products and services to place greater emphasis on security and privacy from the start. Technical standards are another area in which the government could insist on improved online security—for example, the domain name system, encrypted certificate standards, and secure email protocols.

The government also has a key lever at its disposal in the myriad supply chains of small business providers. Making enhanced security part of the accreditation process for those suppliers could encourage them to start to increase their own cyber resilience. That would spill over into their private online security, with all the flow-on benefits.

The government could also directly enhance cybersecurity for the nation generally, including small businesses, by developing and testing common cybersecurity ‘toolsets’ across government departments, and then making them available publicly. The UK offers an example of such a strategy, through its ‘active cyber defence’ initiative.

Finally, the government could do more to help small businesses accurately assess their own levels of cyber resilience and understand practical measures they can take. An easy-to-understand cyber maturity model and certification framework that resonates with time-poor, cash-strapped business owners might encourage them to do their part in growing the sector’s cyber resilience.

Improving the cyber resilience of thousands of small businesses is not just about their wellbeing. It’s an important element of strengthening the nation against serious cyber threats.