cyber security

Cyber security tips for small business

Olivia Pearce — Mon, 12 Aug 2024 01:19:05 +0000

Cyber security tips for small business Olivia Pearce Mon, 08/12/2024 - 11:19

31 July 2024

Australian �Թ�� and Family Enterprise Ombudsman Bruce Billson interview with Tim Webster.

ABC Radio Sydney

Subjects: ransomware attacks on small business, cyber security tips for small business, insolvency concerns, business continuity planning, changes to privacy laws, energising enterprise, Carly Simon, Warren Beattie, Mick Jagger and James Taylor

Tim Webster

Australian businesses are paying untold amounts of ransom to hackers, but neither the government or the public actually knows how much. That's interesting. The Cyber Security Act, which is yet to be unveiled, would force Australian businesses and government entities to disclose the payments or face fines expected to be brought before the parliament at the next sitting. So, how will small business deal with all of that? The Australian �Թ�� and Family Enterprise Ombudsman is Bruce Billson. He joins us from time to time and we love talking to him. G’day.

Bruce Billson

Great to be with you Tim. And I haven't heard that Carly Simon version either. Everyone remembers that Coming Around Again that was in that Heartburn movie, and, of course, You're so Vain. I mean, that doesn't apply to anyone in this conversation, but that was a big hit.

Tim Webster

Certainly not. 1973 You’re so Vain. Well, the conjecture about who it was about, and I think she eventually said it was a conglomerate. Warren Beatty, Mick Jagger, of all the men she’s known.

Bruce Billson

Warren suffered from being a particularly handsome rooster. Who knows. But that’s not what's on our mind though. The pressures on small business.

Tim Webster

The Cyber Security Act. Now, that's an interesting piece of information. Untold amounts to hackers, but neither the government or the public knows how much. I imagine that's because business doesn't want them to know.

Bruce Billson

Yeah, it's a tricky one because most of the expert advice is don't pay for the ransomware to be released so you can get your data back. But, clearly, in some cases, businesses are making a commercial decision that rather than have the whole capability and their ability to engage in trade and vital data, there are reports that some actually pay the ransomware and then hope that the nefarious figures that are involved in cyber hacking then do the right thing and release their data.

It’s a bit of a contested space, but the expert advice is, overwhelmingly, don't pay the ransomware. But then the same experts are saying for us to be best placed to combat that kind of thing, we need to know what's going on. And therefore, you know, the information perhaps around who's doing the ransomware attack and what you may be asked to pay is something that's really important to those trying to defend us in this cyber security threatening world.

Tim Webster

I know it's a threatening world, but tell me, do you think it's fair to fine people for non-disclosure, whether its 15 grand or whatever it might be, because they’ve already been ‘got’, haven’t they?

Bruce Billson

I don't think it's fair for small business to face what could be a fine that, if it was applied to them, would cripple their business. At a time when small business people are so time-poor and margins are really squeezed, and we know nearly half aren’t profitable right now. If you're hit with a ransomware threat or challenge, I reckon you'd be pretty focused on trying to get your business up and going again. And one of the things that we're finding in this complicated, quite sophisticated regulatory environment, you might not even know to whom it is you need to report this breach, but you inadvertently break the law, and then you're faced with another crippling impact on your business.

We've been urging government to have, almost like an A-Team, that can get alongside small and family businesses that have a cyber event. Have them navigate that process, help them make sure they've got appropriate safeguards, but also help them recover on the other side.

I'd hate to see anything that discourage people reaching out for that help if they feared getting pinged with a fine. So, maybe if it's a bigger organisation Tim, and they've got, you know, technical experts and they know all the organisational structure that happens in this space. Maybe a more punitive response is arguable. A time-poor resource-stretched small business, I’m not so sure about that.

Tim Webster

We were, as you would know, a victim of that CrowdStrike. And it was incredibly dramatic here when you've got a studio full of blue screens. So, it's happening to everybody. Maybe more help from the government rather than hindrance from the government on cyber security?

Bruce Billson

That’s our view. Look, there's some encouraging signs there. In the last budget there was an announcement to set up a small business cyber resource hub. I'm optimistic about that. That's what we've been urging that the government does, so that there's a real sense that government is an ally for small business when getting through these terrible events. Not one where they’re fearful of raising these challenges and therefore not getting the help they want and they need, and then having that really impacting on that businesses opportunity to recover, to get its data back, get systems going and and focus on delighting customers. Not that there's some fine around the corner they might get spanked with.

Tim Webster

My texter – don't forget to put your name on the text so I could acknowledge who you are - but he or she basically says, more regulation and red tape on small business owners like myself. It's none of anyone's business what I pay and to who.

Bruce Billson

I think if you had this support posture, one of assistance rather than of compliance, you get small businesses saying, oh, hang on, this is a change in our economy. I really need to be tooled up and as well-equipped as I can be. And to have the resources of government there to assist in making sure you've got appropriate safeguards, good preventative steps. Good, dare I say data hygiene. Sorry for the jargon, Tim. That'd be great. Then if something happened, somebody can get alongside you to work out what you need to do to get through that event. And then some help on the other side getting back up and going.

I think that posture, so much better, so much more likely to get the right outcome that policymakers are hoping for, rather than having this big fine hanging over a small business for whom, if they pinged, they might not have even known they needed to take those steps and then that fine itself could bring them down as badly as perhaps the cyber threat did.

Tim Webster

Everyone's got so much to do, Bruce. Oh, you got pinged and you feel really guilty. But don't because there's so much of it around. I mean everyone's after your information, your money, every day of the week. I mean the amount of text you get, emails you get. You've going to be so vigilant these days.

And look, Jamie says this. Good point. Don't know why you'd pay the ransom. Couldn't the hackers just copy the information they'd hacked and release it anyway?

Bruce Billson

I'm kind of with Jamie. And I’m not discounting for one minute that a commercial decision is often what's guiding this. But I tell you what, if someone was nefarious enough to have a crack and compromised my system in the first place, if I handed over a substantial chunk of change in the hope that they then do the right thing. That's the thing that I'm wary about with paying ransomware. I would have imagined having good backups, you know, multi-factor authentication to sort of limit what's going on. For your listeners that are in business and maybe use digital platforms, and have a credit card attached to say their Meta Marketplace account, if that gets hacked, do what I do. I use a very low amount credit card for my online transactions. Thinking, you know, if someone does grab that data and has a crack at my credit card, if I can't go back to the people that should have guarded against that in the first place, I at least have kept the credit limit very low. And therefore, the harm to me is minimised.

So, for your listeners and businesses and even consumers that are dealing with those online transactions and having credit cards linked to the advertising spend on digital platforms, have a separate credit card with a really low credit limit on it and minimise that risk. Make sure you've got control over that account. If they've taken the account out and blocked you, make sure there's another way of verifying that you’re who you are. And if all else fails and you’re a small business, get on to us and we'll help out.

Tim Webster

Is that Cyber Security Act a fait accompli? Is that going to happen, or can you convince them to not do it?

Bruce Billson

It's still going through the Parliament, so there's plenty of opportunity for some of your texters and others that have raised some good views, to feed those in because it's really about right-sizing it Tim. You and I've talked about that before, but a small business isn't some shrink wrapped major corporation that's got, you know, technical expertise coming out of their ears. That's not right. It's mum and dad and committed enterprising men and women often doing compliance things 10 o’clock at night to try and make sure that the business of running the business is attended to while they also focus on what the future looks like for their business, how can they delight customers and maybe, you know, innovate to get better value for themselves and the people that rely on the business.

Tim Webster

Alright, let's leave that one. There's a few issues to deal with. A 50% increase in queries by small business about a business they're dealing with, possibly being insolvent or a concern about what to do if they're worried about their own place.

Bruce Billson

There's a couple of things happening here. What we are seeing is that really significant uptick in concerns. We're also seeing people checking on what are called credit reference platforms, where they check to see whether the business they are dealing with has some, let's use the word form of not always paying their bills and the like.

But also we're getting an increase in payment disputes even when work is carried out under the contract or the terms that were agreed. Just getting paid Tim, just getting paid is really a pain point. And when the cash flow is tight and when you see the Tax Office are up and about trying to make sure that people with outstanding tax liabilities are engaging with them. When margins are being squeezed, one of the things you see sometimes there’s this friction in just getting paid and the payment time blowing out. It's a real concern.

So, what we're saying to business is if you've got those concerns there are ways you can check, for small fee you can check on the credit record of those businesses. That doesn't mean don't do business with them. But if you and I were running an electrical business and at a subdivision out in western Sydney, in a growth suburb like that, we've got to spend a bit of money buying all the equipment, the substations. So, we're out of pocket already. And then there's our time and expertise. So not being paid, not only us not being rewarded for our work and our diligence, we're also carrying the costs of the equipment we've had to buy. And therefore, you might say to that that developer I want half that project cost as a down payment before I start, so that I can at least cover the costs of those outgoings for equipment. And when the job's done, I'll come and get the rest.

So, you might change your terms, the way in which you engage. But just making an informed decision about those things where we are seeing an uptick in these payment difficulties, we recommend that as part of your approach to your business.

Tim Webster

Louise from Inverell. Louise says, I've got a small limit on my credit card. I used to make jokes that I should keep it maxed out for safety's sake.

Bruce Billson

She raises an interesting point. It is about managing that risk. I mean, sadly, the experience that you've had in the studio and some of these cyber events, I don't think they're the exception. We're likely to see more of that. It’s almost a new normal where there's such a dependency on technology and digital systems in our economy and our lives. Just taking those steps to safeguard, to prevent a bad event happening, and then to limit not only the risk of it, but the cost of it, they’re the things that that we're urging people to do.

Tim Webster

Now, let's allay the fears of Elyse at Mascot. This discussion about small business and security, making me feel very uncertain about transacting digitally with small business. Unfortunately, it steers me to dealing with larger organisations that are better resourced to protect my data.

Now, just on the back of that text. Also, a text about - look, sometimes on the ABC you have to mention a commercial entity just to make a point – I've been asked about PayPal. I don't, but my wife does, and she's never had any issues with that. So, both texts are sort of going, oh, gee, what do I do?

Bruce Billson

There's some really good points in there. And frankly, those messages are reflecting the sentiment in the business community. There is a heightened anxiety and awareness of these things, but there are steps that you can take within your own control. I mentioned multi-factor authentication. Changing your passwords, trying not to have Timisfab12345 as your password is probably not ideal.

Even the software, you get a notification that there's an update for the software. Tim and listeners, often those updates have safeguards or patches to guard against weaknesses or vulnerabilities in the software. Back up your files. I was involved in building a bank to take on the big banks and we used to have a system, and I know it's at a larger scale, but we used to have a system that backed up almost continuously. So, if one of what frankly was thousands of attacks on our site every week, if one of those worked, we could just go back to the moment and all the data before it was compromised and boot it up again from there. So those backups become really important.

PayID, where you verify who the payer is. One of the things in small business that is a real cyber threat are what's called the invoice substitution scam. So, they’ll sneak into your accounting and invoicing system and you won't even know it. They’ll mess with a PDF, a saved file, and put someone else's banking numbers in there. So it all looks legit. You're expecting this invoice. You pay it on the basis of what's in it. All looks legit. And some nefarious character’s gone and changed the banking details so it whisks that payment off to another account. And before you know it, they've converted it to crypto and you can't track it down. So, ways around that is to verify who you are sending money to, to use things like PayID and those secured systems.

The other one is to consider eInvoicing, which is a much tighter, less vulnerable way of sending invoicing. So, there’s steps that you can take. But needing to be situationally aware is really important.

Tim Webster

Jamie opened a second account and transferred my money to that. So, on the credit card, he's got nothing. And this one from Chris. SMEs and large enterprises should open a business continuity plan for ransomware, including incremental offsite backups. It's critical. And then their own servers would help. That’s Chris. It’s clever.

Bruce Billson

Chris is legendary. I hope he doesn't think we've planted that in there. Chris is absolutely right. We found only about one in four have an up-to-date business continuity plan. And that's where you contemplate things that might knock your business off-course and then think about and plan for and have the bits and tools in place to recover and to make considered choices at that time.

That business continuity plan, it could and should address a cyber-attack. And it'll talk about backups and knowing who your providers are and where you've stored data and key contacts to help you get up and going again.

But it might be dealing with a natural disaster. It might be dealing with a health episode. If you and I were the breadwinners of our partnership Tim and one of us got sick, that's going to bump us off track as much as a cyber-attack.

So, Chris is right on the money there. Think about what might happen that could take you off the course you want to be on and what are you going to do about it. And that's a really great contribution from Chris. Top tip of the day.

Tim Webster

Good on you Chris, thank you. Jenny says you can buy a credit card at one of the big supermarkets for various amounts. You can buy it on the internet and that’s not using your own savings. Lot of this is very clever, Bruce.

Bruce Billson

And really practical too. Jenny's again, right on the money. She's talking about practical steps well within your ability to take them, that actually mitigates against the risk of something bad happening. And then if something bad does happen, you’ve really cauterised the cost and consequences of it. They’re fantastic ideas and I hope your listeners are getting something out of this discussion.

Tim Webster

They obviously are. And thank you very much Chris and Jenny.

Now, before the news rushes up at me. The government's looking at removing the exemption that allows small businesses to not, to not comply with privacy laws. How does business feel about that?

Bruce Billson

Not thrilled, but it's very linked to our earlier discussion. So, under the privacy laws, there's a dozen or so privacy principles that big businesses need to read, absorb, interpret and then apply to their workplace and their enterprise about how they're going to manage data that might be vulnerable or might compromise a person's identity and those sorts of things.

So, you can understand where they're coming from. For many years there's been an exemption for small business, with the exception of sort of health professionals and those sorts of things. There's been a review saying, look, the whole world has changed. We just had a great discussion about it. And so much of our day-to-day life sees businesses having data that's really important to us.

Now is that data is risky to your identity or your economic interest, there's got to be certain duties to make sure you take really good care of it or, in some cases, advice to get rid of data you don't need so that you remove that risk. What the government's talking about is simply removing the exemption so that a small business has got to do all the hoop jumping the big businesses do this.

We’re saying, hang on a minute. Again, a time-poor, resource-constrained small business. Let's get in with some really straightforward, easily implementable action steps that achieve that objective and have good data management that's of advantage to the business as well, not just a compliance obligation. And maybe open up new opportunities to link cyber security safeguards, good data management. It’s a more complicated world to be running a business. But let's not make it needlessly super, super, super complicated where the risk and responsibilities just are completely out of whack.

Tim Webster

Bruce, I'm very glad I'm just a humble old broadcaster. The things small business have to deal with. It's quite amazing, isn't it? Really?

Bruce Billson

We've been tracking this and saying to anyone who will listen, the risks and responsibilities of business ownership continue to grow, but the rewards aren’t growing with them.

We need to really think about that risk-reward balance and make sure being an enterprising man and woman is attractive, it's fun, it creates wealth and opportunity for those business-minded people and those employees that they make possible. And it brings such a vitality to our communities where you might not have a big corporate go to regional and rural New South Wales.

What do you think's driving these regional economies and towns? It's small and family businesses, and we need to make sure we celebrate that and look for ways to energise enterprise so there's more of it and better prospects of success into the future.

Tim Webster

And just while I’ve got 30 seconds, a texter says to both of us. Mick Jagger did backup vocals on You’re so Vain so it couldn't have been him. I think that's right. However, why couldn't it have been him?

Bruce Billson

My mail tells me it was Warren Beatty and let’s remember there was a time when Carly Simon and James Taylor had a thing. That didn't end well. It used to be Her Town Too. There’s a song for you.

Tim Webster

I think she said in an interview it was a conglomerate, so let's go with that. Thanks for your time.

Bruce Billson

Take care and best wishes to you and your listeners.

Tim Webster

And he does join us quite regularly, it’s great. Our �Թ�� and Family Enterprise Ombudsman Bruce Billson.

Small businesses can't be held to the same privacy standards

Olivia Pearce — Sun, 21 Jul 2024 23:48:45 +0000

Small businesses can't be held to the same privacy standards Olivia Pearce Mon, 07/22/2024 - 09:48

22 July 2024

Opinion piece by the Ombudsman Bruce Billson.

Originally published in the Canberra Times.

The public rightly expects any personal information collected and stored by businesses - whether they are large or small - will be protected and only used for the reasons it was provided.

It is not credible for small business to continue to have a blanket exemption from providing necessary and appropriate protection of the personal information they have about their customers, staff, and other businesses they are dealing with.

The digital world has added so much, creating new opportunities and risks and the responsibilities that accompany handling personal information need to evolve with the times.

That is why my office has been working with the Australian government to ensure what replaces the current small business privacy exemption and any new regulations, are right-sized and appropriate for small business, easy to implement with clear advice and timelines and will give confidence to customers.

While the exemption is no longer tenable, nor is it practical to directly apply legalistic privacy principles, which larger businesses have to work through, to a small business.

These are principles big business and government agencies need to decipher, interpret and apply to their circumstances, which most small or family businesses do not have the resources or staff to navigate and implement.

We welcomed the acknowledgement by Attorney-General Mark Dreyfus of the special circumstances and limited time and resources of small business, the need for support and a reasonable transition period and the need for an impact analysis of what changes would mean.

In the consultation sessions involving ASBFEO, we have worked hard with officials to help them appreciate that small businesses do not already have and will not soon have mastery of the Privacy Act. Nor will many be able to navigate data-handling protocols to develop a privacy statement and data-breach response plan. This understanding is critical to appreciate how small businesses operate and then appropriately design regulations to allow small businesses to be compliant.

Small businesses and their representatives are alarmed the system being contemplated would require a small business to interpret legalistic principles and undertake onerous and unfamiliar activities - exactly what small business consultation participants said was the worst way forward.

It is important now the consultation by officials focuses on readily understandable and practical steps supported by actionable information to ensure small businesses are not drowned in a sea of legal technicality and complexity.

A small business isn't a shrink-wrap version of a big corporation. There's no regulatory team or dedicated privacy experts, on-staff lawyers or sophisticated compliance systems. Typically, it's the owner - at 10pm - grappling with this after they've been running their business all day.

Small businesses will need clear guidance on the active steps they can take to protect the information of their customers, their staff, and themselves and to fulfil their responsibilities. This may include procedural templates, information guides and checklists explaining the clear steps required to meet their privacy obligations.

The government needs to translate privacy principles into clear, sequential actions, calibrated to the degree of privacy risk prevalent in the business that clearly responds to the question that will be asked by a small business: What is it I need to do?

Small business fears about new and unfamiliar compliance obligations would be eased by the government making a clear statement that it will provide concise, relevant and accessible guidance and there will be a suitable transition period.

Small businesses know they can suffer if customers lose confidence in their ability to protect personal information and will benefit from increased certainty around the way information is being managed and protected. There is a compelling business benefit in sound and dependable 'information management' in this digital era of opportunities and risks.

A cyber hack or malicious information release is harmful at many levels, including for the targeted small business that irreparably damages the business's ability to operate. The latest chilling report from the Australian Cyber Security Centre is that a cyberattack happens every six minutes and when a small business is hit, on average they suffer a financial loss of $46,000.

Sadly, in many cases it ends up being an enterprise-ending event as they never recover or re-earn the confidence of employees, customers, suppliers and partners.

Government should also embed any privacy changes in a nest of information management issues for small and family business including cyber protection, a safe digital presence, managing opportunities and risks presented by digital platforms, eInvoicing, data custodianship and consumer data right participation. Each is being pursued in a siloed way with different (often unknown) lead agencies, bespoke duties and concerns about mounting complexity and compounding compliance obligations.

These all can and should be addressed as an integrated 'information management' initiative highlighting both the business benefits as well as any new obligation through a synchronised engagement with small businesses through familiar intermediaries. This is an opportunity for government to progress important policy objectives while assisting small businesses to deepen their digital engagement, bolster vital information management tools and even explore the responsible use of generative artificial intelligence.

Why can't we explore what requirements can be systematised and routinely actioned by small business in existing 'natural business systems' and already familiar digital platforms and software being used for accounting and single-touch-payroll reporting? Rather than sprinkle resources around in the hope it better equips small business, why not work with the likes of MYOB, Xero, Intuit and Hnry (just to name a few) to embed key duties and action steps into the software businesses use daily?

More than nine out of 10 businesses are currently exempt from the privacy laws. Getting this reform right offers a golden opportunity to extend protection for customers, staff and suppliers. But it will not succeed unless the real-world circumstances and limitations of time-poor and resource-constrained small businesses are honestly understood and embraced by policymakers to create a workable, mutually beneficial and secure system for everyone.

Ombudsman’s guide for small business - using social media securely

Emily Carter — Wed, 29 May 2024 07:06:38 +0000

Ombudsman’s guide for small business - using social media securely Emily Carter Wed, 05/29/2024 - 17:06

28 May 2024

Australian �Թ�� and Family Enterprise Ombudsman Bruce Billson interview with Gary Adshead.

Radio 6PR Perth

Subject: Ombudsman’s guide for small business - using social media securely

Gary Adshead

There’s a new guide going out in relation to businesses using social media and trying to use it securely and properly. Bruce Billson is the Australian �Թ�� and Family Enterprise Ombudsman, and he joins me now. G’day Bruce.

Bruce Billson

Gary, fab to be with you and your listeners?

Gary Adshead

Can you tell whether it's a major, growing trend and whether the reason is it's just cheaper in terms of using a social media platform than building your own website?

Bruce Billson

I can and I can share it just with you, Gary, and your Perth listeners. It is a growing trend because a lot of businesses their digital presence is their channel to the marketplace. This is a great way of engaging with a lot of eyeballs you probably wouldn't otherwise be able to connect with. It's an aggregation place where people come looking for a range of opportunities. And for you and I, if we were to start a business, it's a way of getting into business without necessarily having the expense and the tail risk of a commercial lease and a bricks and mortar type operation.

So, it's very, very attractive. Lots of people have this as an early-stage business strategy or even, dare I use the phrase, a side hustle. It can be quite lucrative, but it's also quite hazardous. We've seen a doubling in the number of businesses that have had a problem with those very same digital platforms. So, they're opening up new opportunities, new markets, new potential, but they're not without their hazards. And that's what we're trying to help people steer away from.

Gary Adshead

And those hazards, is it around the social media platform itself perhaps might be easier to intercept than a website, in terms of those people that want to hack and want to get their clients details or want to upset the business?

Bruce Billson

Yeah, it's that kind of thing where those platforms have quite a sophisticated back end, which is the business of the platform Gary. So, imagine you and I, we've got a presence. We want to put a series of ads out. It's connected up to our place where we can buy and sell and engage with our service. But it then feeds into some other part of that platform where it might be an ad spend about targeted placement of our message. And connected to that can be our account details for a credit card and then maybe even a gateway into other linked accounts that if someone can get into one part of that system, they may be able to cause havoc in other parts of the system.

And then you and I as a person relying on that channel to do our business, sits there and sees our business going down the drain. In some cases, bad experiences, even a change to the website itself. And in other cases that we've seen people using the advertising linked accounts to drain those accounts to promote something else or to even do something quite malicious to our own accounts.

So that's where things go badly, Gary, and then the frustration just gets worse. The websites say, hey, get into your account to tell us that you can't get into your account. You can imagine that's the ultimate run around.

Gary Adshead

That has happened to me. Do you have a view that consumers are more wary of the Facebook or the other platform social media sites, rather than an actual structured website. Do you have a view on that?

Bruce Billson

I think they could be. I'll give you an example, and I'm probably outing myself here. I was traveling back from a conference in Tasmania sitting on the tarmac, and I saw on one of these platforms a product that would take a little scratch out of the duco of your car's paintwork. I thought that looks alright. I'm a bit car proud. So, I went through the social media channel and tapped in and thought I was doing quite well, making that purchase. The following morning I'm out mowing the lawn and I get a call from my bank saying, Bruce, we've blocked this payment. Do you know who they are? I said, they seem to be a UK-based provider. They said, they might try and sell you stuff, but they sell the details of the financial information you provided to someone else to hack you. So, they've shut down the show.

That's a thing to be alert to. And that's also why these integrated platforms are so attractive for hackers wanting to do nefarious things.

Gary Adshead

Alright, so you've come up with a guide, some sort of structure of what you can do that gives you the best chance If you're setting up one of these sites on a platform. What's your top tips?

Bruce Billson

Well, top tips are probably don't go the hamburger with the lot. Create a profile that's got privacy settings and control and management settings that you're comfortable with and you can actually take charge of. Take out profiles or other connections which you just don't need because they can often be that that gateway that people could use to gain access to your page.

Make sure you can actually control what you're doing. In the event that someone else gets in there, you've still got control and it's about turning ads on and off. And I do this myself, Gary. I've got a credit card that's got a pretty low balance on it, which I use exclusively for transactions that are online. So, if someone does tap into it, they can only do so much damage. And if I was selling through one of these platforms and I had a linked credit card for advertising expenditure, I do the same thing. I'd have one that didn't have a behemoth credit limit on it. I’d have it quite low knowing that if something went wrong, you can shut that down quite quickly. Even keeping to one side, the details of your you are URL and your account details. And even having it recognise that you're on a mobile phone so that if your account’s locked down, you can at least use that other channel, your mobile phone, that's recognised by the platforms to try and seek a resolution.

And if that doesn't happen and you're a small family business and you're seeing your business compromised by this and you're getting no help from the platforms, reach out for us and we can possibly help.

Gary Adshead

That's actually a real point, isn't it, that it's very difficult to find – even though Meta have got offices here – it's actually pretty difficult to get through to someone, particularly if this is an emergency.

Bruce Billson

It is incredibly difficult. And what we've said to Meta and the other platforms is that you need to have decent internal dispute resolution mechanisms, decent support, like here's a novel idea, Gary, how about a human someone can talk to you? Here's an idea maybe that might take off, and when we deal with them, we sort of say, Look, we definitely want someone who's got the authority to fix some of these problems. Some of them we can get sorted out quite quickly. But even with the relationship we work hard to build so that small and family businesses can get support from us. Even at times, it can still take weeks. Think of it in a real retail sense, that's weeks that your door's not open, you're not engaging with your customers and that can be really damaging to your business as well.

Gary Adshead

And I'm not trying to sort of put a damper on people who want to use these platforms for their business, but we have examples and we spoke last week to someone who through their own Facebook marketplace. People are basically knocking on their door asking for the product that they bought and the person's going, dunno what you're talking about. And it's because of this whole fraudulent nature that Facebook Marketplace.

The person I spoke to last week, a former minister in the in the government here who found that he was getting knocks on the door because he thought he was being used. He can't get anything done through Meta. He can't get any resolution to it. He's just got to put a sign on his gate saying it's not me, I'm not selling well.

Bruce Billson

And Gary, we've said to these platforms, you need to do better otherwise lawmakers will regulate. And you end up with it with a whole lot of challenges and obligations and duties you might not want. But if you want to, you want to try and minimize that prospect, do better, do better. I mean, we've even seen examples where you've got businesses interacting well, and these platforms, you know, aspire to look after customers. But this isn't the way of looking after customers. And that's why we're urging these platforms to step up and do better themselves. And that way if people do get half a chance to sort these things out and still can't, we can step in and try and be of assistance and that's what we're doing. Those cases have doubled in the last year and we expect to see that trajectory continue.

Gary Adshead

If push comes to shove and someone set up a business through a platform and suddenly people have lost money on it, who's liable? If it's the platform itself that was too easily hacked in that instance? I mean, it is it you as a business person to have to pay up or do you have to go to Meta and say, look, this is through no fault of my own, and good luck trying to get them to deal with it.

Bruce Billson

This is precisely what the Parliament's navigating right now. Who is accountable? Where do those responsibilities sit? Are the platforms doing enough?

Well, let's do a real life parallel. If you are managing a shopping centre and there were shops in your shopping centre, what type of conduct would you permit to happen? You've got some accountability for trade and commerce in that space that you govern and you manage. Now, the argument is the same should apply to these digital platforms.

And even in some areas Gary, which your listeners need to be alert to, particularly small and family businesses that are relying on these platforms, even the capacity to do a recharge back to a credit card? There is a new scam happening and it's happening with customers sort of saying, look, I've just bought this valuable item off a website that you host as part of your digital platform. I don't think it's being delivered. I want my money back. And then people are actually claiming, falsely, that the material wasn't delivered and the poor old business is faced with, hang on, I've got all the documentation saying it was delivered, you should at least check this out before you unilaterally take some dough back that I've been paid for the product that I've delivered when you're actually being stooged about that.

So, it’s another thing to watch out for.

For your listeners, make sure you've got some way of validating delivery and fulfillment. Otherwise that represents another risk to small and family businesses relying on these platforms.

Gary Adshead

It's funny because I went to a online platform not long ago to buy something in particular. It never came. It was, I don't know, two and a half months. I rang them and eventually said, Look, just give me my money back because it's not coming. They went alright. It turned up yesterday.

Bruce Billson

You might be my case study.

Gary Adshead

They did say if it does happen to turn up, well, good luck to you and so be it. So, they're pretty straight up and down. So now I've got two of the same thing.

Bruce Billson

Well, let me check on that chargeback. When I’m giving those stories, I might need to say a customer - let's call him Gary.

Gary Adshead

Alright, if people want to know about how to set up some safety tips and be secure on their digital platforms through these particular platforms that they should be going to your website.

It's A, S for Sam, B for Bob, F for Fremantle, E for elephant, O dot gov dot au forward slash SM-securely. (www.asbfeo.gov.au/sm-securely) I really appreciate you coming on Bruce.

Bruce Billson

Happy to chat Gary. Best wishes to you and your listeners.

Gary Adshead

Bruce Billson there, the Australian �Թ�� and Family Enterprise Ombudsman.

MEDIA RELEASE: Small business Ombudsman's guide to using social media securely

Emily Carter — Tue, 28 May 2024 23:20:09 +0000

MEDIA RELEASE: Small business Ombudsman's guide to using social media securely Emily Carter Wed, 05/29/2024 - 09:20

28 May 2024

The Australian �Թ�� and Family Enterprise Ombudsman, Bruce Billson, has released a guide for small businesses using social media as their business platform, with tips to reduce the chances of being hacked.

“Using social media can be a valuable way to grow and increase awareness of your business with existing and potential new customers, but there are important precautions that must be taken” Mr Billson said.

“Digital platforms have fundamentally changed the way small businesses connect and sell to their customers. Yet, when there is a problem – such as having your account shut down after being hacked – solving it can be a nightmare.”

Mr Billson said the number of cases involving a small business having problem with a digital platform has more than doubled since July 2022 (up by 127 per cent) and continues to be one of the top requests for assistance that requires a case manager to get involved.

Two-thirds of the cases relate to Meta, the owner of Facebook and Instagram, and 75 per cent of those disputes last month alone were about getting access to an account after being hacked.

“In too many cases, when there is a problem, these platforms require a time and resource-poor small business to navigate the most elaborate maze of dead-ends and blockages,” Mr Billson said.

“One of the absurdities of the current situation is after being locked out of your account, you need to access your account to make a complaint. It’s the ultimate run around.”

Mr Billson said the free Guide to Using �Թ�� Securely include tips for small and family businesses about how to reduce the risk of being hacked and steps that can be taken with the digital platforms if you are.

The free guide is available on the ASBFEO website at www.asbfeo.gov.au/sm-securely

“We have helped many small and family businesses across various digital platforms to resolve their disputes, and this guide includes some simple cyber security tips and practices for small businesses to protect themselves,” he said.

“It is important to not overlook important security elements when operating on social media, including how to reduce the risk of your social media accounts being hacked.”

When setting up a business on a digital platform:

Create your profile with the level of privacy and settings you are comfortable with, and that you can easily control and manage.
Make sure you can remove other users or profiles connected to the account and can control their level of page access.
Confirm you can turn ads on or off and can remove or update advertising payment information.
Have your account/s set up so the platform can communicate with you either via an app, text message or email to help with account recovery (should you need it).
Create a separate payment method that is only used for your social media account/s and set a limit on spending.
Keep your account details in a safe place. If your account is hacked and/or disabled, you may need to provide the URL for all your pages/accounts; the phone number and email address; and a screenshot of your page/s with the business name.
Consider expanding your business online presence to more than one platform. If your account is disabled, you can use the other platforms to continue to operate and keep your business going.

“Treat your online business security like you would a shop, factory or your home,” Mr Billson said.

“You wouldn’t give a person you have just met the keys to your business or your house, so only give access to your business account to trusted individuals. And remember not all users require full admin access.

“If you are hacked, report your issue immediately to the platform and make sure you are actually communicating with the platform and not the hacker.”

Mr Billson called on digital platform providers to improve their dispute resolution services.

“Big Tech must do better by its small and family business customers that depend on them,” he said.

“Some of the delays experienced by small businesses have lasted many months and having someone else access and control their account is devastating for their business and their reputation,” he said.

“Small businesses watch helplessly as the financial and emotional damage occurs in real time with no ability to stop it. They lose customers and money, if a credit card linked to these accounts if being used by the hacker or the hacker uses the account to access and harm other customers.

“We are urgently calling for codified, dependable and easy to use internal dispute resolution processes to be adopted by these digital platforms that can get problems resolved quickly.

“They need to be backed up by a real person you can speak to when a problem can’t be easily fixed.

“And this can be supported by a promoted external dispute resolution service, such as ASBFEO, for small businesses that can’t gain a satisfactory outcome when working directly with the platforms.

“Whether it is Facebook, Instagram, Uber, Amazon, eBay, Shopify or any of the many other digital platform providers, across the board there is an urgent need for them to do better by their small and family business customers.”

MEDIA CONTACT: 0448 467 178

TRANSCRIPT: Banking announcement to fight scams, Australian Government’s cyber support for small business

Emily Carter — Wed, 29 Nov 2023 05:12:38 +0000

TRANSCRIPT: Banking announcement to fight scams, Australian Government’s cyber support for small business Emily Carter Wed, 11/29/2023 - 16:12

27 November 2023

TRANSCRIPT

Australian �Թ�� and Family Enterprise Ombudsman Bruce Billson interview with Kerry Peck.

Radio 2BS Bathurst

27 November 2023

Kerry Peck

Businesses lost $13.7 million to scams last year. Now, this is an absolutely horrific figure. A $100 million upgrade across the banking sector has just been introduced so we thought we'd catch up with the �Թ�� Ombudsman, Bruce Billson. Good morning, sir.

Bruce Billson

Great to be with you, sir, and with your listeners and congrats on 60 years of that silky, smooth, melodious tone you bring to airwaves.

Kerry Peck

Yeah, I"ve been around ... I'm doing okay. This is a very serious question at this particular stage and I know they did a fairly big exposé on it last night on television, and we've been talking about it for quite some time. We really do, in this day and age, have to be vitally aware of scams, don't we?

Bruce Billson

Well, absolutely, and particularly for small and family businesses. That’s what gets me out of bed every day. But for all of your listeners to be alert to the behaviour of these nefarious cats that try to mimic your log in details, even impersonate you, to gain access to services and support.

I mean the costs are about $46,000 per incident for a small business. So that's a big number in its own right. But part of the bigger concern is for too many small businesses that a cyber incident, a scam that they're involved with, can be a business ending event because you might lose control over your business systems that are vital for you to trade or, and this is what we're seeing, you lose the confidence of your customers. They say, I trusted you with this information so that you can deduct payments for my monthly gym membership, it might be a hairdresser, a beautician that has a routine appointment with you, and you start losing the confidence of those people if you start losing control over your data and the scammers get to mess with your information.

Kerry Peck

We all like to give the banks a bit of a bash every now and then, obviously, that's sort of part of the Australian sport, I think to a certain extent. But you know, the banks can only do so much. I mean, there's a lot of responsibility that should be on the small business itself.

Bruce Billson

It's a matter of people doing what each is able to do. I was very supportive of the banks’ announcement late last week where they said they'd use their technologies to compare the name of the bank account with the BSB and account details and if there's any irregularities then hold up the payment. That's a good measure. That's the measure that's been operating in the UK for some time and it's pleasing to see that that's happening here.

Now, why is that important? Let's say we had a builder in our community in Bathurst building a home for us. We knew we were up for a progress payment. So we're expecting an invoice for $85,000 or something like that. And a scammer got into the builder's technology and just sat there quietly, silently. But when that builder produced the invoice for us, it looked all legit. We were expecting it. It was for the right amount. But one of the scams that we've seen a lot of harm caused by, is this invoice substitution scam where they quietly go in and actually change the banking details on that invoice. So it looks very legit, but it's actually sending that money offshore, usually gets turned into crypto currency and is untraceable very quickly.

Now what the banks have said late last week is a couple of things will happen. One, where there's this irregularity between the account name and the banking account details, they'll stop the payment. Where there's a large payment that might not be your normal pattern of expenditure, they might query it with you or even slow it down. And in some cases they'll work together to delay the transfer of some money between banks so that if it is a scam, there's some chance of cutting it off. So that's what the banks are doing and that's great.

The telcos are doing good stuff to the extent that they can as well. It's called clean pipes and they cut off a lot of nefarious sort of traffic over the Internet and the like, just as part of their service. So that's good.

But for the individual and the individual business owner, there are things within their gifts that they should do. They should take steps to protect their data. They should only hold the information that they need. They should use that multi-factor identification to verify what's going on and also keep their software up to date, because often those software updates have patches or changes to them to guard against the cyber criminals.

I suppose I put it this way, we wouldn't leave our shop open in the main street of Bathurst with the door wide open and the lights on in the middle of the night and expect everything to be okay. It’s the same sort of logic that there are things that can be done in the digital world like that, and that's what I'm urging small and family businesses to do while those other parties do the things they do.

Kerry Peck

And the other thing, of course, is these guys have no conscience whatsoever.

Bruce Billson

It's actually quite a sophisticated business model. We've heard stories about these being structured like a corporation. They even have an HR Department. They have got people that are specialists in understanding human psychology - what sort of prompt or what sort of dodgy text message will most likely produce the action that they want. They know what time of year it is, so they'll send out little reminders through SMS masquerading as the Tax Office, and it's not them.

And that’s why it's also important in an announcement last week that the government made for their cyber security strategy that for small businesses you can jump on the Australian Cyber Security Center and get a bit of a health check just on where you're at with your cyber protection and then some steps to improve it. So jump on www.cyber.gov.au and you'll get onto those resources.

And then secondly, in the event that you are compromised, it's not up yet but it will be soon I hope, a new service the Government's announced that will see a skilled person get alongside the small business to help them navigate the circumstances they're confronted with because they've been compromised.

They’re two good initiatives sitting alongside the stuff the banks announced and hopefully an increase in awareness amongst people about what individuals and actual small businesses can do to help better protect themselves.

Kerry Peck

Thank you for your time this morning, sir. I really do appreciate it. There we go. Ombudsman for �Թ��, Bruce Billson.

TRANSCRIPT: Banking announcement to fight scams, Australian Government’s cyber support for small business

Emily Carter — Mon, 27 Nov 2023 01:13:09 +0000

TRANSCRIPT: Banking announcement to fight scams, Australian Government’s cyber support for small business Emily Carter Mon, 11/27/2023 - 12:13

24 November 2023

TRANSCRIPT

Australian �Թ�� and Family Enterprise Ombudsman Bruce Billson interview with Leon Delaney.

Radio 2CC Canberra

24 November 2023

Leon Delaney

Banks right across the industry have joined forces to launch something called the Scam Safe Accord. Now, the centrepiece of these Scam Safe Accord is name matching to account numbers, something that perhaps should have been done years ago. Nevertheless, never to look a gift horse in the mouth, better late than never. Joining me now, the Australian �Թ�� and Family Enterprise Ombudsman, Bruce Billson. Good afternoon.

Bruce Billson

Leon, fab to be with you and your listeners.

Leon Delaney

Thanks for joining us today. This is especially important for small business operators, isn't it? Because obviously one of the big scams that targets small businesses is when communications or invoices are intercepted and the scammers, the crooks, substitute the correct account information with incorrect account information, which means they get the money and everybody else loses. So how is this new initiative from the banking sector going to help?

Bruce Billson

This is a really positive step. You're right, it's been in place in some jurisdictions overseas. The UK have had something similar for a while. What basically happens is when you put in the account name, the BSB and the account number, it checks against that name and if there's an irregularity then it stops the payment going through.

This is fantastic news. If you and I had a regular relationship with another business or a customer, they may well be expecting the invoice to come through an email. And where this cyber scam kicks in is people then go in and change those banking details silently. You don't know. It all looks legit. It's expected. It's gone to the right customer. The sums are the right amount. You make the payment and then it's whisked away into a bank account and usually within moments probably converted to crypto currency. The customer or the supplier loses the money, and the business that's produced the goods or service doesn't get paid either. So, everyone's out of pocket. There's no good outcome and that can be really catastrophic for businesses that are caught up in that. I don’t know about you but some of those big bills that we pay as consumers, who's got the money ready just to replace that payment and settle that account?

Leon Delaney

Well, apparently, according to the data from Scamwatch, small businesses lost almost $14 million last year, and that represented an increase of almost double from the previous year. So obviously, there are crooks out there that have been making plenty of hay while the sun was shining. Maybe now the sun will be a little bit dimmer for them.

Bruce Billson

Well, I'm hoping so. And the banking industry's announcement - and a credit to those financial institutions for getting involved in this way - it comes off the back of some really useful announcements by the government earlier in the week as part of this cyber strategy. That's tools that let small businesses establish just how strong their cyber protections are. Some practical advice on the actions they can take. And also an announcement of a one-to-one help service in the event that you are the subject of an attack, what you do to recover.

Now, why is this so important? Well, the average cost of a small business cyber scam is about $46,000 Leon, but it can be more catastrophic than that. The business might lose the capacity to actually function. It might lose the confidence of its customers. And for too many small and family businesses a cyber event can be a business ending experience. And that's why it's so important to do what we can, to be protected as we can be, and to know what to do in the event of an incident.

Leon Delaney

What exactly were these two programs that the Federal Government announced earlier this week to help protect businesses?

Bruce Billson

The first one is a safety health check that looks at just how ready your business is. You know, it's part of a small business cyber resilience service. And you get onto the Australian Cyber Security Center's website. It’s pretty easy to find it's www.cyber.gov.au and in it is this cyber health check program and that can be really useful just to knowing where you can make stronger improvements in your cyber protection.

But beyond that, the Government's also announced that it will be going out to tender to get businesses to bid for a service that actually provides one-on-one support for a business that does experience an event because that can be really challenging Leon. There's a whole bunch of reporting obligations that businesses have to meet. But there's also advice, someone getting alongside you. What to do if there's a demand for a ransom? How do you recover your business system so that you can trade again? And also, what do you need to do with your customers and those that are in your business ecosystem to let them know that something's happened and to take appropriate steps?

This is the kind of practical advice and support we've been calling for, and it's pleasing to see some of these services responding to the needs small businesses themselves have identified.

Leon Delaney

Yeah, this matter of paying ransoms to get your own data back again, there were reports that the Federal Government was considering making it actually illegal to pay a ransom, but the government in the end decided not to go that far. Was that the right decision?

Bruce Billson

Look, I think so. It's difficult. If you and I or your listeners and I were running a business and some critical information was being held and we were told that if we paid a fee, we'd get it back. Sadly, that's the business model that the scammers operate under, and it's not always certain that you'll get that information back or that what they've gleaned through a cyber attack still won't end up on the dark web.

So, there's no guarantees. But what happens when those ransoms are paid is you're actually feeding the business model of the scammers, and therefore they'd be encouraged and resourced to keep going. Where the government's landed is to look to businesses to notify them that there's been a ransomware incident and what's happened. No penalties arising from the actions you take. But just a real hope that you share that experience, share the intelligence that can be gleaned from it, and then through the experts that are part of government steps can be taken to guard against further episodes.

Leon Delaney

Yeah, as you indicated, I'd be hesitant to pay any kind of ransom in the first place because I would not be convinced I would actually get my data back anyway. I would assume that they're just going to take the money and burn me anyway. But apparently, from what I've been able to read, there have been instances where businesses felt that they had no other option but to pay the ransom. And they have indeed got their data back, which I guess is a good outcome for them. But it was a hell of a gamble, wasn’t it?

Bruce Billson

I ache for the small and family businesses that are in that situation. You can imagine you put 20 years of your life into building that business. Some jokers jumped in through a cyber attack and has taken control of your accounting system or systems and technologies that are really critical to your business operations. You're sitting there wondering do I give up all of that lifetime of work or do I effectively gamble on criminals being decent? That’s a horrible call to have to make, which in my eyes, and I hope my encouragement to listeners Leon, is to take those steps that can be taken.

The banks are doing what they can do in the payment systems. The telcos that are implementing what they call a clean pipes measure where they cut off a lot of traffic that's run over the telecommunications system. But I'm urging small and family businesses to take the steps that are within their means. I mean, no one would leave their shop open with the light on and the door wide open in the middle of the night. It's taking appropriate steps in the cyber world like you would take in the real world. And it's good that there's help and support available with that.

Leon Delaney

Absolutely. And just back to this announcement from the Australian Banking Association and the Customer Owned Banking Association involving the entire gamut of the banking sector banks, credit unions, building societies, they're all part of this. It's called the Scam Safe Accord.

The thing that I can't help but question is that for all these years, whenever we make an electronic payment, we have to put in the BSB number, the account number and the name of the account holder. Why did we ever have to put in the name of the account holder if the banks weren't checking the name until now?

Bruce Billson

You're probably better off asking a banker about that Leon. I suspect it's got things to do with record keeping and the like.

Leon Delaney

They always used to tell us, though. Make sure you've got the numbers right because the name doesn't matter. Well, if the name doesn't matter, why did we have to put it in?

Bruce Billson

Well, it matters plenty these days. And maybe it's fortuitous, but now that information's being correlated. Where it can’t be confirmed that the payee is who you've got in mind, they’ll be blocks to that.

There's some other things too about biometrics checks and people opening a new account just in case they're trying to mimic you or have got some personal information. Even some warnings and notifications and delays. You know, I think the banking industry have said if there’s a pretty juicy big payment that might be suspicious, they might just slow the whole show down and maybe send some warnings and just check that this is what you intended to do. And make sure someone's not on the receiving end of a cyber criminal threatening them to do certain things unless big sums of money are transferred.

So, I think these are all good steps. You're probably right with a little bit of scepticism around timing, but it's a step in the right direction and that's why I'm welcoming it.

Leon Delaney

It is indeed a step in the right direction. Bruce, thanks very much for your time again today.

Bruce Billson

Good to be with you, Leon, and your listeners.

TRANSCRIPT: Banking announcement to fight scams, small business conditions

Emily Carter — Fri, 24 Nov 2023 05:46:26 +0000

TRANSCRIPT: Banking announcement to fight scams, small business conditions Emily Carter Fri, 11/24/2023 - 16:46

24 November 2023

TRANSCRIPT

Australian �Թ�� and Family Enterprise Ombudsman Bruce Billson interview with Tom Connell.

Sky News

24 November 2023

Tom Connell

Banks have introduced sweeping changes in a bid to better protect customers against costly scams. Almost $430 million have already been lost to scams this year. Joining me live is Bruce Billson, Australian �Թ�� and Family Enterprise Ombudsman. Bruce, thanks as ever for your time. I think this is something people won't realise existed previously, that it doesn't matter what you put in the name, it can be absolutely anything basically, if the numbers are a bank account, the money goes out there. I know a family member that's transferred money accidentally the wrong way, they got a number wrong, and it still goes out there. How has this taken so long?

Bruce Billson

Some of the banks have actually had more advanced technology Tom than others and put a little cautionary flag where some of the transactions don't quite ring true. But this announcement on the eve of Scam Awareness Week is really welcome. It is one step of many needed to protect citizens and small and family businesses from some of these cyber threats.

And a really common one is where a cyber hacker gets into a business's software. They go to issue an invoice but the hacker has silently changed the banking details. It looks all quite legit. The customer at the other end is expecting the invoice. It's coming in the shape and style and with the price, the value on it, you expect, and people just go and pay it without realising it's been compromised by substituting a hacker’s BSB and account numbers. That payment is made and within moments it then gets usually shunted offshore and converted to crypto.

So some of these announcements are really good. This is a model that operates in the UK. The banks also have come together to think about pause mechanisms if someone oddly changes authorities for payment or things of that kind, which might be the consequence of someone bribing them or maybe forcing them to do things they didn't want, or that someone's accounts had been taken over by a hacker.

Tom Connell

That example is a really common one, that you spoke of. Intercepting, getting between the email getting sent out by the business and the person receiving it, which then of course often will put a business out because the individual says, I got sent an invoice from your email, it's not my fault I paid the invoice and that leaves the small business out of pocket.

And again, it seems like such a simple change because they don't match up. Even if there was an issue and they’ve changed bank account names, it's better to sort that out rather than have the money go the wrong way. And as you say, in an instant the money's gone. Are there any changes on the horizon around that? Because on the one hand we want money instantly, right, and business want to get paid. But sometimes you realise the mistake’s made an hour later, but you can't do anything about it. Is there an element around, we almost need a delay back in there, depending on payments?

Bruce Billson

And that's part of the announcement that the banking industry has made, which we welcome. Building in some pauses where money is moving around there is a chance to recover. Using the example we just spoke about, many of our small business customers work with the Australian Financial Complaints Authority, and the banks would try and do whatever they can after the event. But if the funds are already gone, there's really limited options. So those ideas about pausing where there's a variation in authority to deduct or to make payments. Even big numbers Tom that bank hasn't seen the customer engage with before. These are the things that are being built in, you know, checks and safeguards on top of the practical things that we can all do, and particularly for small business.

We keep saying let’s hope people do the best they can do in their space. The banks have stepped up, that's great. The telcos are running what are called clean pipes initiatives where they cut off nefarious traffic wherever they see it. But also, for individuals, you know, thinking twice about who you share account access information with. I know our assistance team here have had a few cases where someone's been duped into believing the contact they were having through emails and the like was someone that they knew and that they could share access details to accounts or myGov and that would be okay. Turned out not to be the case.

There are two messages in that: careful about sharing any of those things designed to protect you with anybody. And then secondly, what steps can we take to mitigate the harm and the risk and the consequence.

So that's what's good about this. It's also what's good about the government's announcement earlier in the week with more help for small business in this space.

Tom Connell

Bruce, 30 seconds or so, how is small business doing overall?

Bruce Billson

Challenging economy right now, Tom. Plenty of headwinds out there. Margins are tight. A lot of people feeling what we know for citizens are cost of living pressures, they’re input costs for small business. And as budgets tighten, people are less inclined to engage in discretionary spending. Retail's probably going to be a little bit down over Christmas. But as you would see, the sales coming up over this weekend are quite timely. And you know, one thing you can count on Tom is the perpetual optimism of enterprising men and women. So, they're still up in about, but probably more headwinds than there is wind in their sales right now.

Tom Connell

They need a bit of Bruce Billson optimism and can-do spirit maybe. Bruce always appreciate your time thank you.

Bruce Billson

Thanks Tom.

TRANSCRIPT: �Թ�� Cyber Security

Emily Carter — Tue, 21 Nov 2023 02:57:56 +0000

TRANSCRIPT: �Թ�� Cyber Security Emily Carter Tue, 11/21/2023 - 13:57

20 November 2023

TRANSCRIPT

Australian �Թ�� and Family Enterprise Ombudsman Bruce Billson interview with Oly Peterson.

6PR Perth

20 November 2023

Oly Peterson

On average, a cyber attack on a small business, it costs $46,000. If you own or operate a small business, maybe you work in one yourself. Have you been a victim of a cyber attack? What did it do to the business? What did it cost the business?

Bruce Billson is the Australian �Թ�� and Family Enterprise Ombudsman and we welcome him back to Perth live. G’day Bruce.

Bruce Billson

Oly, great to be with you and the west coast listeners.

Oly Peterson

It's good to have you on the program again, Bruce. And there's obviously been a lot of focus on these high profile cyber attacks of recent years. Obviously Medibank and Optus spring to mind. Optus obviously in the news again over the last two weeks for lots of other reasons. But underneath all of this is the fact that small businesses here in Australia will be getting more and more support because, let's be honest here Bruce, they're more susceptible to a lot of these cyber attacks.

Bruce Billson

You're thinking like a cyber criminal Oly. That's exactly what some of these nefarious cats think, that small businesses may well be less protected, may have invested less in their cyber protections, and may also be not just a target in their own right, but possibly a gateway into systems that they intersect with. Think of a small business, it might be a supplier to a major firm, and they might be plugged into invoicing and enterprise technology and the like.

So this is a really welcome move. The Government's announced there'll be two more things that will add to the toolkit.

One's a self assessment tool where you can check out where you're at and get some really good advice on steps that you can take and that are within the gift of a small business to do. So these aren’t, you know, having a whole crack team of cyber technologists sitting alongside you. But things you can actually do, very practical things you can do and make sure you're as ready as you can be.

And the second one, which is something we've been calling for, is, where's the one-on-one help in the event that you are compromised? I mean, that's a tough time to work through. It's traumatic for the business. They might be wanting you to pay a ransom. They might have some other things going on. Someone who can get alongside a small business to help navigate that incident response and hopefully recovery. That's going to go out to tender. That's a very welcome measure and one that we've been arguing for.

Oly Peterson

Because when I was reading some stats a little bit earlier, Bruce, and you’ll correct me if I'm wrong here, but a small business in Australia is attacked every 6 minutes, so there's going to be ten of these in the next hour.

Bruce Billson

It's frightening. And then you look at the costs. The Cyber Security Center for the nation estimates it's about $46,000 per incident. But let's also remember, many never recover, Oly. I mean, if you lose control over some of your vital data or your back-end systems are compromised, not to mention how your customers might feel about it. I mean, you and I, being athletic gents, might be running a gym and we've got our information about our clients. And if that's compromised, they might think I’m not going back there.

So, this is where we've been saying, let's join up a few things that are changing right now. There are expectations of small business around privacy and information management. Then there's other things that are happening in the economy, like the Consumer Data Right. Sounds quite funky, but it's basically where consumers can say to certain service providers, how about you give me the info you got on me so I can go and check around with other service providers to see how I might be able to get a better deal.

So these are all things happening at the one time and we're saying these are all challenges for small and family businesses. Let's get alongside them and provide this support to navigate these times as best we can.

Oly Peterson

Because laws continue to evolve and change as you’ve said Bruce and the scammers become more and more sophisticated, so the knowledge you might have had six months ago could actually be out of date.

Bruce Billson

Yeah, that's right. And the tactics shift as well. I mean, around this time of year, you’re starting to see the scammers pushing out Cyber Monday sales offers. Around tax time they try and mimic the Australian Tax Office as if you've got some advice, you click on it and before you know it you've downloaded something you really don't want in your system.

And something that most small businesses, I think, are growing awareness about is what's called the invoice substitution scam. The cyber criminals get into your system, you go and send an invoice to somebody for a big number, like an instalment payment on a house build, and they just get in there and change the banking details. And so it lands in the customer's inbox, looks legit. They're expecting the bill. It’s come from the people they expect. You go and pay $90,000 as a building instalment and it goes off into cybercriminal hands, probably gets converted into crypto within about five minutes and these jokers run off and you’re left there having done your dough but you also haven’t paid the business that you're dealing with.

So these are some of the changes. Things like eInvoicing can help in that space. I know some people do what I do, Oly. If it's a big number and I can't afford to have it get pinched, I'll ring up and check the account details to say, is this still the right account? Are details different from last time? My little Spidey senses are telling me I need to do a little extra step. That's all the changing nature of commerce at this time when cyber criminals are looking to take the advantage.

Oly Peterson

And it must be said Bruce, the banks are also starting to roll out new technology. They like to tell us about it in real time to give people an opportunity to think twice about that bank account, which is important. But we've got to have our antenna up on these things. And seems we’re just all fighting against the tide at the moment. It is difficult to navigate.

Bruce Billson

We're going to have to get the best of everybody. Now, that means you and me as individuals, we have to have our wariness up and we have to listen to our Spidey senses. For business owners, you don't leave the door open with the light on at night when there's no one there. You take certain steps and safeguards that you're able to do.

The telcos are trying to do what's called a clean pipe initiative, where they cut off a lot of the traffic through the telecommunications infrastructure. And as you mentioned, Oly, the banking system are really stepping up. I mean, they do this in the UK where the bank account details you think you're sending money to, if it doesn't correlate with the BSB and account numbers, it basically goes woop, woop, woop, woop. This isn't probably your best idea. Check it out.

That's an integrated response. And then sitting beyond that, you've got some real specialist expertise. And as was identified through this announcement that the Government's made, a welcome announcement, tooling up and better supporting small business to navigate these times.

Oly Peterson

And the best starting point is, Bruce, is probably the Cyber Security Centre?

Bruce Billson

I reckon that's probably a good spot. That's where many tools are available. There's even some helpful guides. If you are a business that handles other people's information, how can you best do that? Some of those self-assessment checklists are there as well. And you can get a little bit more info about the kind of tactics these nefarious cyber criminals are deploying so you can have that situational awareness to best as best protected as you can be.

Oly Peterson

Alright, cyber.gov.au that is the website. Bruce good to catch up with you, we will do it again soon.

Bruce Billson

Always fab to be on your airwaves. Take care and best wishes to your listeners.

Oly Peterson

Bruce Billson, there, the Australian �Թ�� and Family Enterprise Ombudsman.

cyber security

Cyber security tips for small business

Small businesses can't be held to the same privacy standards

Ombudsman’s guide for small business - using social media securely

MEDIA RELEASE: Small business Ombudsman's guide to using social media securely

TRANSCRIPT: Banking announcement to fight scams, Australian Government’s cyber support for small business

TRANSCRIPT

TRANSCRIPT: Banking announcement to fight scams, Australian Government’s cyber support for small business

TRANSCRIPT

TRANSCRIPT: Banking announcement to fight scams, small business conditions

TRANSCRIPT

TRANSCRIPT: �Թ��� Cyber Security

TRANSCRIPT

TRANSCRIPT: �Թ�� Cyber Security