privacy

Cyber security tips for small business

Olivia Pearce — Mon, 12 Aug 2024 01:19:05 +0000

Cyber security tips for small business Olivia Pearce Mon, 08/12/2024 - 11:19

31 July 2024

Australian �Թ�� and Family Enterprise Ombudsman Bruce Billson interview with Tim Webster.

ABC Radio Sydney

Subjects: ransomware attacks on small business, cyber security tips for small business, insolvency concerns, business continuity planning, changes to privacy laws, energising enterprise, Carly Simon, Warren Beattie, Mick Jagger and James Taylor

Tim Webster

Australian businesses are paying untold amounts of ransom to hackers, but neither the government or the public actually knows how much. That's interesting. The Cyber Security Act, which is yet to be unveiled, would force Australian businesses and government entities to disclose the payments or face fines expected to be brought before the parliament at the next sitting. So, how will small business deal with all of that? The Australian �Թ�� and Family Enterprise Ombudsman is Bruce Billson. He joins us from time to time and we love talking to him. G’day.

Bruce Billson

Great to be with you Tim. And I haven't heard that Carly Simon version either. Everyone remembers that Coming Around Again that was in that Heartburn movie, and, of course, You're so Vain. I mean, that doesn't apply to anyone in this conversation, but that was a big hit.

Tim Webster

Certainly not. 1973 You’re so Vain. Well, the conjecture about who it was about, and I think she eventually said it was a conglomerate. Warren Beatty, Mick Jagger, of all the men she’s known.

Bruce Billson

Warren suffered from being a particularly handsome rooster. Who knows. But that’s not what's on our mind though. The pressures on small business.

Tim Webster

The Cyber Security Act. Now, that's an interesting piece of information. Untold amounts to hackers, but neither the government or the public knows how much. I imagine that's because business doesn't want them to know.

Bruce Billson

Yeah, it's a tricky one because most of the expert advice is don't pay for the ransomware to be released so you can get your data back. But, clearly, in some cases, businesses are making a commercial decision that rather than have the whole capability and their ability to engage in trade and vital data, there are reports that some actually pay the ransomware and then hope that the nefarious figures that are involved in cyber hacking then do the right thing and release their data.

It’s a bit of a contested space, but the expert advice is, overwhelmingly, don't pay the ransomware. But then the same experts are saying for us to be best placed to combat that kind of thing, we need to know what's going on. And therefore, you know, the information perhaps around who's doing the ransomware attack and what you may be asked to pay is something that's really important to those trying to defend us in this cyber security threatening world.

Tim Webster

I know it's a threatening world, but tell me, do you think it's fair to fine people for non-disclosure, whether its 15 grand or whatever it might be, because they’ve already been ‘got’, haven’t they?

Bruce Billson

I don't think it's fair for small business to face what could be a fine that, if it was applied to them, would cripple their business. At a time when small business people are so time-poor and margins are really squeezed, and we know nearly half aren’t profitable right now. If you're hit with a ransomware threat or challenge, I reckon you'd be pretty focused on trying to get your business up and going again. And one of the things that we're finding in this complicated, quite sophisticated regulatory environment, you might not even know to whom it is you need to report this breach, but you inadvertently break the law, and then you're faced with another crippling impact on your business.

We've been urging government to have, almost like an A-Team, that can get alongside small and family businesses that have a cyber event. Have them navigate that process, help them make sure they've got appropriate safeguards, but also help them recover on the other side.

I'd hate to see anything that discourage people reaching out for that help if they feared getting pinged with a fine. So, maybe if it's a bigger organisation Tim, and they've got, you know, technical experts and they know all the organisational structure that happens in this space. Maybe a more punitive response is arguable. A time-poor resource-stretched small business, I’m not so sure about that.

Tim Webster

We were, as you would know, a victim of that CrowdStrike. And it was incredibly dramatic here when you've got a studio full of blue screens. So, it's happening to everybody. Maybe more help from the government rather than hindrance from the government on cyber security?

Bruce Billson

That’s our view. Look, there's some encouraging signs there. In the last budget there was an announcement to set up a small business cyber resource hub. I'm optimistic about that. That's what we've been urging that the government does, so that there's a real sense that government is an ally for small business when getting through these terrible events. Not one where they’re fearful of raising these challenges and therefore not getting the help they want and they need, and then having that really impacting on that businesses opportunity to recover, to get its data back, get systems going and and focus on delighting customers. Not that there's some fine around the corner they might get spanked with.

Tim Webster

My texter – don't forget to put your name on the text so I could acknowledge who you are - but he or she basically says, more regulation and red tape on small business owners like myself. It's none of anyone's business what I pay and to who.

Bruce Billson

I think if you had this support posture, one of assistance rather than of compliance, you get small businesses saying, oh, hang on, this is a change in our economy. I really need to be tooled up and as well-equipped as I can be. And to have the resources of government there to assist in making sure you've got appropriate safeguards, good preventative steps. Good, dare I say data hygiene. Sorry for the jargon, Tim. That'd be great. Then if something happened, somebody can get alongside you to work out what you need to do to get through that event. And then some help on the other side getting back up and going.

I think that posture, so much better, so much more likely to get the right outcome that policymakers are hoping for, rather than having this big fine hanging over a small business for whom, if they pinged, they might not have even known they needed to take those steps and then that fine itself could bring them down as badly as perhaps the cyber threat did.

Tim Webster

Everyone's got so much to do, Bruce. Oh, you got pinged and you feel really guilty. But don't because there's so much of it around. I mean everyone's after your information, your money, every day of the week. I mean the amount of text you get, emails you get. You've going to be so vigilant these days.

And look, Jamie says this. Good point. Don't know why you'd pay the ransom. Couldn't the hackers just copy the information they'd hacked and release it anyway?

Bruce Billson

I'm kind of with Jamie. And I’m not discounting for one minute that a commercial decision is often what's guiding this. But I tell you what, if someone was nefarious enough to have a crack and compromised my system in the first place, if I handed over a substantial chunk of change in the hope that they then do the right thing. That's the thing that I'm wary about with paying ransomware. I would have imagined having good backups, you know, multi-factor authentication to sort of limit what's going on. For your listeners that are in business and maybe use digital platforms, and have a credit card attached to say their Meta Marketplace account, if that gets hacked, do what I do. I use a very low amount credit card for my online transactions. Thinking, you know, if someone does grab that data and has a crack at my credit card, if I can't go back to the people that should have guarded against that in the first place, I at least have kept the credit limit very low. And therefore, the harm to me is minimised.

So, for your listeners and businesses and even consumers that are dealing with those online transactions and having credit cards linked to the advertising spend on digital platforms, have a separate credit card with a really low credit limit on it and minimise that risk. Make sure you've got control over that account. If they've taken the account out and blocked you, make sure there's another way of verifying that you’re who you are. And if all else fails and you’re a small business, get on to us and we'll help out.

Tim Webster

Is that Cyber Security Act a fait accompli? Is that going to happen, or can you convince them to not do it?

Bruce Billson

It's still going through the Parliament, so there's plenty of opportunity for some of your texters and others that have raised some good views, to feed those in because it's really about right-sizing it Tim. You and I've talked about that before, but a small business isn't some shrink wrapped major corporation that's got, you know, technical expertise coming out of their ears. That's not right. It's mum and dad and committed enterprising men and women often doing compliance things 10 o’clock at night to try and make sure that the business of running the business is attended to while they also focus on what the future looks like for their business, how can they delight customers and maybe, you know, innovate to get better value for themselves and the people that rely on the business.

Tim Webster

Alright, let's leave that one. There's a few issues to deal with. A 50% increase in queries by small business about a business they're dealing with, possibly being insolvent or a concern about what to do if they're worried about their own place.

Bruce Billson

There's a couple of things happening here. What we are seeing is that really significant uptick in concerns. We're also seeing people checking on what are called credit reference platforms, where they check to see whether the business they are dealing with has some, let's use the word form of not always paying their bills and the like.

But also we're getting an increase in payment disputes even when work is carried out under the contract or the terms that were agreed. Just getting paid Tim, just getting paid is really a pain point. And when the cash flow is tight and when you see the Tax Office are up and about trying to make sure that people with outstanding tax liabilities are engaging with them. When margins are being squeezed, one of the things you see sometimes there’s this friction in just getting paid and the payment time blowing out. It's a real concern.

So, what we're saying to business is if you've got those concerns there are ways you can check, for small fee you can check on the credit record of those businesses. That doesn't mean don't do business with them. But if you and I were running an electrical business and at a subdivision out in western Sydney, in a growth suburb like that, we've got to spend a bit of money buying all the equipment, the substations. So, we're out of pocket already. And then there's our time and expertise. So not being paid, not only us not being rewarded for our work and our diligence, we're also carrying the costs of the equipment we've had to buy. And therefore, you might say to that that developer I want half that project cost as a down payment before I start, so that I can at least cover the costs of those outgoings for equipment. And when the job's done, I'll come and get the rest.

So, you might change your terms, the way in which you engage. But just making an informed decision about those things where we are seeing an uptick in these payment difficulties, we recommend that as part of your approach to your business.

Tim Webster

Louise from Inverell. Louise says, I've got a small limit on my credit card. I used to make jokes that I should keep it maxed out for safety's sake.

Bruce Billson

She raises an interesting point. It is about managing that risk. I mean, sadly, the experience that you've had in the studio and some of these cyber events, I don't think they're the exception. We're likely to see more of that. It’s almost a new normal where there's such a dependency on technology and digital systems in our economy and our lives. Just taking those steps to safeguard, to prevent a bad event happening, and then to limit not only the risk of it, but the cost of it, they’re the things that that we're urging people to do.

Tim Webster

Now, let's allay the fears of Elyse at Mascot. This discussion about small business and security, making me feel very uncertain about transacting digitally with small business. Unfortunately, it steers me to dealing with larger organisations that are better resourced to protect my data.

Now, just on the back of that text. Also, a text about - look, sometimes on the ABC you have to mention a commercial entity just to make a point – I've been asked about PayPal. I don't, but my wife does, and she's never had any issues with that. So, both texts are sort of going, oh, gee, what do I do?

Bruce Billson

There's some really good points in there. And frankly, those messages are reflecting the sentiment in the business community. There is a heightened anxiety and awareness of these things, but there are steps that you can take within your own control. I mentioned multi-factor authentication. Changing your passwords, trying not to have Timisfab12345 as your password is probably not ideal.

Even the software, you get a notification that there's an update for the software. Tim and listeners, often those updates have safeguards or patches to guard against weaknesses or vulnerabilities in the software. Back up your files. I was involved in building a bank to take on the big banks and we used to have a system, and I know it's at a larger scale, but we used to have a system that backed up almost continuously. So, if one of what frankly was thousands of attacks on our site every week, if one of those worked, we could just go back to the moment and all the data before it was compromised and boot it up again from there. So those backups become really important.

PayID, where you verify who the payer is. One of the things in small business that is a real cyber threat are what's called the invoice substitution scam. So, they’ll sneak into your accounting and invoicing system and you won't even know it. They’ll mess with a PDF, a saved file, and put someone else's banking numbers in there. So it all looks legit. You're expecting this invoice. You pay it on the basis of what's in it. All looks legit. And some nefarious character’s gone and changed the banking details so it whisks that payment off to another account. And before you know it, they've converted it to crypto and you can't track it down. So, ways around that is to verify who you are sending money to, to use things like PayID and those secured systems.

The other one is to consider eInvoicing, which is a much tighter, less vulnerable way of sending invoicing. So, there’s steps that you can take. But needing to be situationally aware is really important.

Tim Webster

Jamie opened a second account and transferred my money to that. So, on the credit card, he's got nothing. And this one from Chris. SMEs and large enterprises should open a business continuity plan for ransomware, including incremental offsite backups. It's critical. And then their own servers would help. That’s Chris. It’s clever.

Bruce Billson

Chris is legendary. I hope he doesn't think we've planted that in there. Chris is absolutely right. We found only about one in four have an up-to-date business continuity plan. And that's where you contemplate things that might knock your business off-course and then think about and plan for and have the bits and tools in place to recover and to make considered choices at that time.

That business continuity plan, it could and should address a cyber-attack. And it'll talk about backups and knowing who your providers are and where you've stored data and key contacts to help you get up and going again.

But it might be dealing with a natural disaster. It might be dealing with a health episode. If you and I were the breadwinners of our partnership Tim and one of us got sick, that's going to bump us off track as much as a cyber-attack.

So, Chris is right on the money there. Think about what might happen that could take you off the course you want to be on and what are you going to do about it. And that's a really great contribution from Chris. Top tip of the day.

Tim Webster

Good on you Chris, thank you. Jenny says you can buy a credit card at one of the big supermarkets for various amounts. You can buy it on the internet and that’s not using your own savings. Lot of this is very clever, Bruce.

Bruce Billson

And really practical too. Jenny's again, right on the money. She's talking about practical steps well within your ability to take them, that actually mitigates against the risk of something bad happening. And then if something bad does happen, you’ve really cauterised the cost and consequences of it. They’re fantastic ideas and I hope your listeners are getting something out of this discussion.

Tim Webster

They obviously are. And thank you very much Chris and Jenny.

Now, before the news rushes up at me. The government's looking at removing the exemption that allows small businesses to not, to not comply with privacy laws. How does business feel about that?

Bruce Billson

Not thrilled, but it's very linked to our earlier discussion. So, under the privacy laws, there's a dozen or so privacy principles that big businesses need to read, absorb, interpret and then apply to their workplace and their enterprise about how they're going to manage data that might be vulnerable or might compromise a person's identity and those sorts of things.

So, you can understand where they're coming from. For many years there's been an exemption for small business, with the exception of sort of health professionals and those sorts of things. There's been a review saying, look, the whole world has changed. We just had a great discussion about it. And so much of our day-to-day life sees businesses having data that's really important to us.

Now is that data is risky to your identity or your economic interest, there's got to be certain duties to make sure you take really good care of it or, in some cases, advice to get rid of data you don't need so that you remove that risk. What the government's talking about is simply removing the exemption so that a small business has got to do all the hoop jumping the big businesses do this.

We’re saying, hang on a minute. Again, a time-poor, resource-constrained small business. Let's get in with some really straightforward, easily implementable action steps that achieve that objective and have good data management that's of advantage to the business as well, not just a compliance obligation. And maybe open up new opportunities to link cyber security safeguards, good data management. It’s a more complicated world to be running a business. But let's not make it needlessly super, super, super complicated where the risk and responsibilities just are completely out of whack.

Tim Webster

Bruce, I'm very glad I'm just a humble old broadcaster. The things small business have to deal with. It's quite amazing, isn't it? Really?

Bruce Billson

We've been tracking this and saying to anyone who will listen, the risks and responsibilities of business ownership continue to grow, but the rewards aren’t growing with them.

We need to really think about that risk-reward balance and make sure being an enterprising man and woman is attractive, it's fun, it creates wealth and opportunity for those business-minded people and those employees that they make possible. And it brings such a vitality to our communities where you might not have a big corporate go to regional and rural New South Wales.

What do you think's driving these regional economies and towns? It's small and family businesses, and we need to make sure we celebrate that and look for ways to energise enterprise so there's more of it and better prospects of success into the future.

Tim Webster

And just while I’ve got 30 seconds, a texter says to both of us. Mick Jagger did backup vocals on You’re so Vain so it couldn't have been him. I think that's right. However, why couldn't it have been him?

Bruce Billson

My mail tells me it was Warren Beatty and let’s remember there was a time when Carly Simon and James Taylor had a thing. That didn't end well. It used to be Her Town Too. There’s a song for you.

Tim Webster

I think she said in an interview it was a conglomerate, so let's go with that. Thanks for your time.

Bruce Billson

Take care and best wishes to you and your listeners.

Tim Webster

And he does join us quite regularly, it’s great. Our �Թ�� and Family Enterprise Ombudsman Bruce Billson.

Privacy changes coming for small business

Emily Carter — Wed, 24 Jul 2024 06:08:17 +0000

Privacy changes coming for small business Emily Carter Wed, 07/24/2024 - 16:08

22 July 2024

Australian �Թ�� and Family Enterprise Ombudsman Bruce Billson interview with Leon Delaney.

Radio 2CC

Subject: Privacy changes coming for small business

Leon Delaney

Small businesses in Australia are facing new privacy rules, so the government is working on replacing the current arrangements. but what will they be replaced with, and will they be workable for small businesses? Well, I'm confused just so somebody who can straighten me out is the Australian �Թ�� and Family Enterprise Ombudsman, Bruce Billson.

Good afternoon.

Bruce Billson

Leon, that's a big task. But maybe I can shed some light on this very important topic and, of concern to small business and understandably, their customers as well.

Leon Delaney

Whenever a business collects any data, they have an obligation to keep that data safe. They need to protect our privacy, don't they? But that must be a unique challenge for small businesses. Surely the simple solution is don't collect customer data?

Bruce Billson

Well, that's part of the solution. I suppose that's the idea that we've been pushing forward. You and your listeners would know the Privacy Act brings with it some appropriate and big responsibilities for people that are collecting data. Businesses that may hold personally identifiable information that may, if inappropriately handled, represents a risk to their customers and, frankly, a risk to their business. That's been with us for some time.

But in the Privacy Act, there is a general exemption for most small businesses and guidance to them to not hold stuff they shouldn't, not collect data that they then use for other purposes, those sorts of things. So, whilst that long standing exemption has been earmarked for removal, what's less clear is what's going to replace it.

And certainly, just having the privacy principles applied as if a small business is a major corporation with privacy experts and lawyers on staff, that's no solution whatsoever. So what we urging the government to do is recognise, as I think most people do, in a digital economic world where data is a real currency in trade and commerce, the appropriate management of it is very important for customers, for security of systems, for the business itself.

But don't apply a bunch of rules that are designed for big corporates when you're talking about a small local business. Come up with something that's right-sized, makes it very clear what's expected of those small businesses, and then everybody's interests are appropriately reflected.

Leon Delaney

Now, I would imagine that a lot of small businesses might actually turn to third party providers for their customer data management systems, rather than trying to do it all themselves, just use some sort of outside provider. Shouldn't the onus then fall on that outside provider?

Bruce Billson

You can't contract out of your duties and responsibilities. So, in that scenario, if you are using an external provider and let's think about real estate - I think you and I had a giggle some years ago as I was trying to get a rental property in Canberra, waiting for a home to be built and my goodness, they wanted to even know the temperamental, how would you describe my dogs if they were a person? They wanted to know what the microchip was, and then they wanted to know who actually installed it and when, along with the vast array of personal information - If that fell into the wrong hands, it'd be a walk up start just to have identity theft writ large right before your eyes.

So, with that level of detail and sophisticated and really intrusive information being held, there's got to be commensurate responsibilities about how it's managed. So, in that case, if you are using an external provider, making sure that they are fulfilling the duties that are expected of you, that you've contracted out, that's part of that process. And that's an example of a straightforward piece of actionable information that should be provided to small business.

Who's holding your data? Do you need to have it in the first place? Are you routinely going about removing data that's no longer necessary? And how might doing that well, join up with other things that are interesting and important for the business around information management, protection against cyber attacks, and also improving the resilience of the business at a time when we know even big businesses might be the target of nefarious actors.

That's what we're saying. Join those things up. Understand the consumer interest but have a right size, able to be implemented approach for small business.

Leon Delaney

Okay. You've been involved in the consultation process, getting a firm grasp on people's concerns over these issues. How’s the government addressing this? Are they near some sort of resolution where you know what exactly it is they're going to be putting forward?

Bruce Billson

Well, we hope we're getting closer. We have been involved in many elements of the consultative process, and we've been making these points quite clearly and quite consistently. Might be fair to say it hasn't always had an impact Leon ... and we've had to make those points a number of times. Also, for a lot of small business organisations that have been involved in them, they've also been making those points.

A central view is don't just apply the big business privacy principles to a small business, as if it's some shrink-wrapped corporate entity. There is a need for a bespoke, right size and able to be implemented approach, and we've been urging that along with it being joined up with other things that are its close companions - information management, cyber protection. How do you make sure you can access the Consumer Data Right? Don't have them treated in separate silos that will leave time-poor and resource-stretched small businesses bewildered. Let's bring that together and have various arms of government collaborate on a meaningful and able to be implemented engagement with small business.

Leon Delaney

You've also suggested that the principles that businesses will need to adhere to could actually be incorporated into some of the very commonplace software tools that they already use, like accounting software programs like MYOB or Xero. There's a range of different ones, but there's really only a handful that are widely used by almost every business, aren't they? So, if those measures could be implemented or in some way integrated in that software, that would be very helpful, wouldn't it?

Bruce Billson

Well, that's what we've been proposing. We're saying use natural business systems. Where are businesses are already using systems that touch upon these duties and responsibilities and what can we do to actually embed processes in that software, so it just happens as a matter of course.

For instance, if I'm onboarding a new staff member there’s particular disciplines around managing employee information. Well put that in as a natural process within a system you're already using, rather than having it sitting off to one side where you think, oh, I wonder what's required of me under these changes to the privacy arrangement.

Have it used as embedded and a natural action step, along with what businesses are familiar with, that they're involved with on a daily basis. And that makes this not some overwhelming new compliance imposition. It's just a natural thing that's done as part of good practice, being implemented by good businesses.

Leon Delaney

Indeed. Keep it simple, stupid. That's the basic principle.

Bruce Billson

Look, you can call me stupid. I've been called other things Leon, but I'll go with that. Look, I get called Bill a lot.

Leon Delaney

I was quoting a commonly used piece of advice. I wasn't calling anybody names.

Bruce Billson

I love it. And, you know, let's bring this home, though, for your listeners, knowing that information is being managed thoughtfully and carefully doesn't need to involve deep ponderance around principles and 20, 30, 40 hours navigating that framework.

For businesses themselves, an information breach can be a business-ending event. You'll lose the confidence of your customers. You might lose vital information. You might lose control of your systems. So, getting this right and seeing how it's adjacent to cyber security safeguards, information management and new opportunities like the Consumer Data Right. We think that integrated way forward with practical input information is the way to go.

Leon Delaney

Bruce, thanks very much for your time today.

Bruce Billson

Good to be with you.

Leon Delaney

Thank you. Bruce Billson, the Australian �Թ�� and Family Enterprise Ombudsman.