The Australian Government estimates 90% of SMEs are online. Yet, many don’t have protections in place to cope with cyber risks.
One in five Australian small and medium businesses have suffered a cyber attack. This results in loss of cash or their intellectual property, with many being unable to recover from damage.
It’s important their CFOs continue to remain vigilant, ensuring they put in place the right controls and procedures to mitigate potential risks to an organisation.
The most recent ASX 100 Cyber Health Check Report, looked at how large listed companies assessed and managed their exposure to cyber risk. In the report, 62% of directors noted an increase in the level of attempted malicious cyber activity against their company in the past 12 months. Yet, 30% hadn’t evaluated the cyber resilience of suppliers, customers and other key external parties that connect to them.
The same report highlighted how only 11% of Boards have a clear understanding of how the company’s key information or data assets are shared with third parties. Only 11% also identified they are proactive in reassuring stakeholders of their cyber security.
If large listed organisations – who are typically better resourced to deal with cyber attacks – continue to face a daily battle to protect their data and systems, it only means smaller businesses need to be particularly strategic and resourceful in the way they prevent and respond to cyber threats.
The Internet of Things (IoT) streamlines and boosts efficiencies; giving SMEs an edge through cheaper, automated abilities. IoT is also a key entry point for attacks, with most IoT devices being vulnerable as highlighted in the 2019 Symantec report.
Symantec also found that Ransomware had shifted from consumers to enterprise, with infections rising 12%.
Australian small and medium businesses have taken a hit at some point with many exposing themselves through social media and emails and being caught through phishing scams.
Cyber criminals continually think of new and more sophisticated ways to access a company’s data or siphon money from its accounts team. Too often, businesses are getting caught out by simple impersonation fraud techniques.
Conley Manifis, Audit Director for William Buck, says most of the fraud activity they’ve seen is where clients have been sent invoices via email that look like they’ve been legitimately sent from their accounts team.
“If it is coming from the accounts team, naturally, the accountant would not usually feel they need to question the authenticity,” states Conley. “Evidently, it appears the scammers had been able to access to the company’s email addresses and taken advantage of using a recognisable person and name to have the invoice paid for a false purchase order. Unfortunately, as a result, the money gets paid and can’t be retrieved.”
In the current online environment, businesses need to be more cautious and implement tight controls to detect, respond to, and manage an incident with minimal impact on the business. In the case of invoice payments, operative procedures need to ensure each invoice paid is authentic, particularly those of high value.
“It might be simple enough advice but, if you think an invoice is suspicious, check the email details before you make a payment and confirm the relevant information before the transaction goes through,” advises Conley. “If your controls are effective, you will be able to easily detect any false requests for payment and avoid the hassle of contacting the bank to try stopping the payment or recover potentially lost funds.”
Conley believes CFOs have a key role to play in combating cybercrime, by putting in place an effective risk mitigation strategy, with education and awareness being the fundamental components. This should span the entire business – from the front reception and accounts payable team to your I.T. function.
“There is enough information available now that businesses have no excuse not to put sensible risk prevention strategies in place. The CFO needs to drive a ‘cyber risk aware’ culture with a company’s shareholders, employees and customers in mind to ensure the message is embedded right from the ground up. While the digital landscape has certainly opened up more opportunities for business, it still means having to learn to manage the risks associated with it.”
“You should also be looking at the processes your business has in place around I.T. controls,” adds Conley. “Is your I.T. manager aware of the latest scams? What filters are used to protect against phishing emails and viruses? How often does I.T. conduct data backups and update firewalls? It becomes a two-fold approach – at the top level, what controls the business has in place from an awareness perspective, and then the practical controls your I.T. function and accounts payable team has in place.”
Some tips for protecting your business
- Always have a dual signatory or authorisation;
- Change company passwords regularly;
- Do not give out passwords to anyone;
- Question anything that does not look or sound right;
- Make sure only the relevant people have access to payroll records.
Do you want to discuss the protection of your business? Ask your local William Buck advisor.