Founding a cyber champions club

Small business cyber security risks, part 1: 

Many of the cyber security professionals around the globe are concerned about third-party risk. What exactly is that, and why should you care? Personally, I like to apply what I consider to be a layer of common sense across these sorts of things, but I feel that I’m very privileged to constantly learn from some of the very best cyber security professionals in Australia and nearby, so perhaps what I assume is common sense is actually their knowledge “bleeding through” me! So let me impart some of that knowledge I’ve accumulated, and hopefully you can benefit from it as I have done.

Let’s consider a small business, a hairdressing salon. Typically the team interacts directly with clients of course, although in order to service those clients, there’s very likely a CRM (customer relationship management system) to handle appointments, hold client information, and possibly even manage a pipeline of new clients. Additionally, there’ll be an accounting system to handle revenue from clients, and payments for staff salaries, suppliers and other operating costs, and to prepare the salon’s Business Activity Statement (the Australian government’s method of collecting company tax). It’s also practically an expectation now that the salon maintains a presence on social media, so let’s include Facebook and Instagram for argument’s sake. The salon would probably maintain a good old fashioned website as well, unless they’re content solely relying upon their social media pages for marketing purposes.

Now consider the information held in each of those systems. The accounting system will hold banking details for staff and suppliers. The CRM will hold customer information such as email and phone contacts. Ask yourself “If my email address, phone number or banking details were included in those systems, and the salon’s information systems were targeted by an attacker who stole my information, how would I be affected?” In 2022 when Optus suffered a data breach, there were ten million individuals affected, so odds are you’ll have first-hand knowledge of the process of replacing pieces of personal identification like driver licences, or you’ll know someone who went through it.

As members of the public, we have an expectation that businesses and governments protect our personal information appropriately. For the sake of brevity I won’t go into the regulatory requirements of this, suffice to say the Privacy Act (1988) has had numerous amendments over the years, most notably the Notifiable Data Breaches scheme in 2018. This affords us reasonably good protection assuming everyone follows the rules, noting fines of $50M can be imposed (or higher in some cases), with some exceptions.

Back to our salon example, and the accounting system is most likely a cloud-based system the salon pays a subscription to. It seamlessly integrates with the point-of-sale system, itself possibly another cloud-based subscription service, and it “automagically” pays staff directly into their bank accounts according to timesheet information. To the salon, it’s relatively low cost, easy to use, and critical to their business. However it is a third party supplier to the salon, which means the salon can’t directly control its operation.

Now the question “if an attacker stole my information from the salon, how would I be affected” is more complicated. What if the attacker stole my information from the company that operates the accounting system, along with many other individuals’ information, from other salons and all kinds of businesses? Surely that would be a more lucrative bust for the attacker?

This is exactly the kind of thinking an attacker may employ to target weak points in the supply chain from third parties. The cloud-based accounting system used by the salon is by its very nature highly accessible, from all around the globe. This increases the attack surface, lowering the cost of a successful attack. Remember from the attacker’s point of view, this is about the information held in the accounting system, not the system itself. Before we had technology, that salon owner would have simply locked the accounting ledger physically in a safe to protect it from theft, and the attacker would have needed physical access to the salon, and safe-cracking skills to steal it!

Does this make cloud-based accounting (and other) systems unsafe? Not necessarily, however any system or structure can have weak points. For example, one very common attack is the phishing scam, in which the attacker tricks the victim into disclosing their login credentials, allowing the attacker access to the victim’s private information. Although many technology providers use mitigating controls such as multi-factor authentication, sometimes these controls are optional, and can even introduce further weaknesses. Keep a close eye on trusted sources to stay up to date on the latest cyber attacks.

What does this mean for your business, and your supply chain? You’ll need to be aware of and close off the weak points, and have a plan in case the worst should happen. This could be included in your overall incident response plan, which should cover as many eventualities as possible to minimise the impact of all kinds of incidents, not just those involving technology. Cyber security risk is just like any other risk, it requires analysis of threats, an understanding of the impacts and their likelihood, and appropriate risk treatments to keep your business operating. Without guidance, this process can be quite daunting. A mentor once told me, “The attacker’s job is easy; just find one weakness. Our job is to find all the weaknesses and plug them before the attacker exploits them!”

In our third party risk discussion example here, the salon owner would begin by figuring out who the third parties are, how they’re relied upon, and how vulnerabilities in their systems and processes could be exploited by attackers to compromise the salon’s business. In this blog series on small business cyber security risk we’ll delve further into that process, but for now why not start a “cyber champions” club in your workplace? For an easy start, spend a few moments discussing the activities you regularly carry out in your jobs, for example “sending mailouts to our clients’ email addresses” or “running the payroll for the office”. For each activity ask the question, “What information is handled or stored for this activity?” For example “customer email addresses” and “staff bank account information”. You’ve just carried out one of the first steps in managing risk: identify your assets!