A voice in my imagination

Small business cyber security risks, part 4:

In the last few blogs we focused on advice for small businesses, although really this has been relevant for all of us whether we’re talking about personal, small or large business information security. Reaching for the ideal situation is certainly important and, in many cases, particularly for larger businesses, it’s the law. However last week in my imagination I heard the quiet voice of a small business owner saying, “but what if I’m struggling just to stay financially afloat and keep customers happy, I know cyber security is important, but I just don’t have time unless someone tells me exactly what to do!” 

Perhaps that thought came to me because I was looking on with admiration at our local cafe, amazed at the hard-working team, always with smiles on their faces and a kind word for everyone. Whilst they're not struggling financially, I know how busy they always are, and I wondered how they manage information security risk. In a rare moment of quiet, I talked to the owner about her thoughts on this. Like many businesses, social media is an important channel for advertising. Thanks to some good advice they’d received long ago, they’d already implemented multi factor authentication for their social media accounts.

Whilst their accounts and BAS (the Business Activity Statement – in Australia, most businesses are required to submit this for various taxes such as the goods and services tax) are handled by a certified professional, this is still an information security risk. There’s an element of trust. We assume a professional accountant would handle our information appropriately, or at the very least, we’d have financial and legal recourse if something did go wrong. 

That’s two check marks in my mind. Protect the things you rely upon such as social media and entrust information about your business only to certified professionals. Although at this point during my “research” over a cup of coffee at the cafe, I felt as though I’d circled around a little. The accountant is probably also a hard-working person who cares significantly about information security risk, however, like that imaginary small business owner’s voice in my head last week, they might prefer someone just told them specifically what to do!

That’s why in this blog we’re focusing on immediate, practical steps small business owners can take to mitigate cyber attacks. This also neatly wraps up all the topics we’ve covered this year into our final blog for 2024.

So, multi factor authentication (MFA) is on our “bare minimum” list. It’s relatively easy to set up on most services like social media and Microsoft Office/365. The Australian Government myGov service uses “passkeys” to conveniently roll passwords and multi factor controls into one simple-to-use system which relies on security features in your device such as fingerprints or face recognition. It’s an excellent, zero-cost way to keep hackers out of your valuable information, and in my mind it’s mandatory. If you want to learn more about MFA, we covered it in detail in my last blog.

Having trusted, certified professionals handling your valuable information is also on our list. For the sake of comparison, consider how you’d normally seek medical advice. Most of us have a trusted General Practitioner, certified in the field. We’re used to this concept because the medical profession is well established. On the other hand, information security is a relatively new and evolving field, and it intersects with information technology, which itself is complex and relatively new! 

Let me elaborate on the trusted, certified professional idea. Many small businesses have volunteer “computer people” like friends and family who work in information technology roles, or are familiar with fixing issues, which is great – until it isn’t. When you hand your laptop to someone to upgrade software or fix niggling problems, the reason you’re handing the device over in the first place is because your skill is making amazing coffee or styling hair, not fixing computers! 

You are trusting that the “computer person” is competent, but have you stopped to think “competent in what exactly?” As we’ve said, information technology is a very broad field, and both cyber security and risk management intersect with IT in various ways, but don’t necessarily go hand in hand. I could talk all day about that topic, particularly that the information security profession actually needs non-technical people to address skills shortages.

Even so-called professional IT “fixit” companies may not necessarily be completely proficient outside the areas of their own special skills, such as fixing faulty hardware and installing software on laptops. Cyber security may not necessarily be a priority. I’ve met some excellent IT professionals in my time, most recently a Perth-based organisation that actively decided to upskill and certify themselves against a well-known information security risk management standard and marketed this competitive advantage. 

On the other hand, I’ve also met some well-intentioned but misguided IT professionals who recommended customers use outdated software such as old versions of Windows “because it runs faster on old computers, so you can save money that way”. Any small speed gains and monetary savings this tactic might bring in the short term are ALWAYS undone in some way down the track. The consequences can range from minor disruptions to your business operations like various pieces of software not playing nicely together, right up to business-ruining, catastrophic events caused by attackers exploiting weaknesses in the old versions of software on the device. All of these outcomes lead to financial loss. 

So how do you know if your “computer person” is giving you the right advice? Regardless of whether they’re a volunteer or a paid consultant, ask them one question: 

“Are you familiar with the ASD Essential Eight, and have you implemented it on your own information technology systems and on mine?” 

Well actually that’s more like three questions, but it’s still only one sentence you need to remember! If your “computer person” gives you a blank stare, this is a sign of trouble. On the other hand, if they launch enthusiastically into a spiel about how wonderful it is that little ol’ Australia came up with this great cyber security benchmark which is now held in high esteem worldwide and begin explaining the unique way they’ve gone about implementing it, chances are you’re in good hands.

Now if you’ve glanced at the ASD’s Essential Eight list you might be thinking “but MFA (multi factor authentication) is included in the Essential Eight, why have we singled it out here?”, so let me explain my reasoning for doing so. If you look at the other seven items on that list, you’ll notice they’re technically oriented. In this blog we’re focusing on the bare minimum, things the small business owner can do themselves. As we’ve already said, MFA fits that description. If you’re one of those hard working, busy small business owners, you’ll want to know that the other seven items are taken care of for you, too.

I’m also going to briefly mention backups for your information, another item on the ASD Essential Eight list, and I have a similar reason for singling it out too. Unless you’re certain that your “computer person” has this covered, at the very least you could regularly copy important information onto a USB memory stick and carry it home. Make sure you utilise encryption on that USB memory stick however, you wouldn’t want your information to be stolen if that stick fell into the wrong hands.

After you’ve established the credibility of your “computer person”, now move on to your accountant and anyone else who handles the valuable information for your business and ask whether THEIR “computer person” has implemented the Essential Eight, too! And that’s it – certainly it’s not the end of the information security risk management story, but if you’re in the category of that imaginary small business owner’s voice I heard in my head last week who hasn’t time to do anything other than focus on staying afloat, you will be head-and-shoulders above others who haven’t considered these bare minimums!

Next year I hope to explore many more topics with you, perhaps delving into why on Earth I heard an imaginary small business owner’s voice in my head last week, but for now I’ll say, “happy holidays, stay safe, stay secure, and be kind”.