9 October 2024
TRANSCRIPT
Australian Small Business and Family Enterprise Ombudsman Bruce Billson interview with Nicole Overall.
Radio 2CC Canberra
Subject: free cyber security programs to help small businesses, digital platform providers urged to do better for small business
Nicole Overall
Unsurprisingly and sadly, more and more small businesses are falling victim to ever more sophisticated cyber-attacks. So, what's to be done? Well, to explore some potential solutions, I have on the line now Bruce Billson, the Australian Small Business and Family Enterprise Ombudsman. Good afternoon, Bruce.
Bruce Billson
Nicole, fab to be with you and your listeners.
Nicole Overall
Thanks so much. And there are some really disturbing, growing trends in these attacks, aren't there?
Bruce Billson
Well, there are. Sadly, the cyber criminals love targeting small and medium enterprises, and it's largely because running a business you’ve got so many things to think about. They're counting on the business maybe not having turned their mind to the cyber risks and vulnerabilities in their business, and they're seeking to exploit that.
Nicole Overall
And unfortunately, they're exploiting it very well at the minute, aren't they?
Bruce Billson
It is a worrying trend. Where a small business is hit, they tend to have a financial loss of about $46,000 as a consequence of being the subject of that attack. Now, sadly, for too many businesses, that's $46,000 that they can't afford. And for many it's actually an enterprise ending event. They may lose control over essential data and systems within the business. They may even lose the confidence of their customers, if the customers feel that some data has been compromised and the like. And that can be a really tough place to come back from. And hoping it doesn't happen to you is not a plan. There are steps that can be taken, and there's help out there to support you in taking those steps.
Nicole Overall
And the other thing with that Bruce is that these cyber-attacks are only going to continue. They're only going to become ever more sophisticated, so we need to be on the front foot.
Bruce Billson
That's right. And the cyber attackers are increasingly sophisticated. I mean, some of them run an almost corporate structure in the way they organise their attacks. They've got psychologists on board to know what language will have a business owner or a consumer respond to a phishing email that looks like it's legit, but you know, may well have behind it some software that they hope you'll click on and then load up in your system.
The biggest one businesses face at the moment is the invoice substitution scam, where they sneakily come into your accounting system and when you're filling out an invoice, they sort of cut the invoice off at the pass, leave all the bits that make it look legitimate, substitute in different bank account details, and then send it on to the customer. And the customer is expecting this invoice. This is a part payment on a house renovation, or a deposit on some travel or something like that, and before you know it, those funds have been whisked away, sent through other financial institutions and are probably cryptocurrency before you realise what's happened.
So, these are the sorts of things that businesses are up against, and that's why we're urging people to take the kind of reasonable steps in the digital world that they take in the physical world. You wouldn't leave the lights on, and the door open in your shop in Dickson. So, let's not be a little reckless and careless and rely on hope in terms of our digital security as well.
Nicole Overall
And you're quite right Bruce. Once that money is gone, the attempts to retrieve it become ever more difficult and just another headache. And as you pointed out, many small businesses just don't have the wherewithal or the resources to recover.
Bruce Billson
And there's lots of moving parts in this space. You'll see governments currently contemplating codes that put minimum expectations on financial institutions, on digital platform providers, on communications companies, where they've got to take certain steps and try and help the small business or the consumer guard against the scam.
But it's not like you see in some other jurisdictions where if you haven't done anything that's careless or reckless, you can hope for a refund. That's not what's proposed in Australia. So, there's still a heavy responsibility on people doing what is well within their gift to do, to guard against the horrible impacts of being a cyber-attack victim and then having to work out what to do next, and if, in fact, whether you can recover as a business from that episode.
Nicole Overall
So, tell us some of the more positive news in the latest announcement around all of this Bruce.
Bruce Billson
Well, there's a couple of things. What we're very excited about is the Government's announced a number of measures. Some of them are immediate and available now, things like Cyber Wardens, is a program where you can spend a few hours, have one of your team members have some training like the equivalent of a first aid warden. So that doesn't mean they'll come out being a techno genius or a Bill Gates, but they'll understand effectively what cyber first aid and good hygiene looks like. And if you got someone in your business that can make a few of those hours available, the Cyber Wardens program is a great place for you to start.
There's also a very exciting news where there will be a new contract released for what's basically a support service that will help a business get alongside a business if they do happen to fall victim of one of these scams. IDCARE has won that work, and they are looking at having that support service, like a concierge. What do I need to do now, people answering that question alongside you in the business, and we're expecting that to be up and about and operating near the end of this year. So that's a very tailored one-on-one assistance program. It's the Small Business Cyber Resilience Service. We think that's fantastic. It's an $11 million investment. The kind of thing we've been calling for because even if you take good cyber first aid through something like the Cyber Warden program, or in other parts of the country chambers of commerce are running those awareness raising programs, that doesn't mean you're not going to be attacked. So, you still need that help to get alongside and work out what I should do next. How do I recover my system?
Nicole Overall
And one of the really amazing things about that Bruce, is that particular business cyber resilience service is free.
Bruce Billson
That's right. Frankly, this is one of the big challenges of our time as a society, as well as an economy, that some of the biggest businesses in the country are actually these cyber criminals running sophisticated operations and really taking advantage of our trust, the fact that in a small business, we've got so many things on our plate, and cost pressures. We might have cut a corner here, or maybe not been as attentive as we could be and that's why these sorts of free services are really equipping all of us in a Team Australia ethos to guard against what might happen.
In my agency here Nicole, we get a lot of businesses that operate on digital service platforms. They might be on Meta or Shopify or something like that, and someone hacks their accounts, and they can't get into their own accounts to actually tell the platform providers someone's hacked my account. So, it's an ultimate runaround, and we help there. But sometimes those hacks might access your own financial information. If it's got a credit card attached to it for promotion and advertising on those platforms, they'll pinch that money and go and use it to promote cryptocurrency. Or they might use it as a gateway into finding out some information about your customers. So, if we can contain that contagion, it stops the risk of that cyber-attack being much larger than it might otherwise have been.
Nicole Overall
You're right, Bruce. And the other thing is that you'd mentioned earlier was that we think that it's not going to happen to us. Well, just that simple one that you were talking about there, social media. My social media, a couple of years back now, was hacked. I couldn't get into it in order to verify who I was. There was a small amount of money taken, you know, a few hundred dollars. I actually had to go to the head of Facebook, head of Meta, in order to have it addressed, because there was no recourse for me to prove that the account was mine. So, all of these things to have that expertise and help to assist you through such situations can only be a good thing.
Bruce Billson
Oh, absolutely, Nicole, and using your example, we’re there to help businesses that have that experience and also put pressure on the digital platforms to, frankly, do better. They have a frequently asked question on a website saying, if your account's been hacked and you can't get into it, could you get into your account to tell us that you can't get into your account? I mean, what sort of nonsense is that? But that's part of what we have to navigate. And businesses come to us, because in this modern world, often the only channel a business may have to their customers is through these digital platforms, and that's why we think they need to do better.
We urge people to organise multifactor authentication, change their passwords frequently, have some other way of verifying their identity, like what you were describing with your experience. To back up your files regularly, to maybe use eInvoicing or PayID, so no one uses that invoice substitution scam to rip money off your customers and yourself. And also, to talk to your staff. I mean, one of the biggest risks is human error. And in fact, in Victoria, the Chamber of Commerce run a digital security awareness program and the central figure, its Christian name is Human, and its surname is Error. You're encouraged to use all your faculties. If you get an email that looks like it's come from the ATO, but you click on where it's been sent from, and it's got, you know, magicalvoiceofCanberra.au, this fair chance it's not from the tax office. So, it's sort of really encouraging people to listen to their Spidey senses and do what they can to protect themselves, while everyone else - communications providers, digital platform providers - they've got expectations of them themselves.
Nicole Overall
And the other thing that I like about all of this with these resilience programs and services Bruce is exactly that. It's about building resilience. It's not just making sure that you're protected. But how can we be doing it better as we go on? Because they're going to get better, and we need to get better at it as well.
Bruce Billson
Well, sadly, they're a learning organisation most of these scam outfits. They’re trying different things. They're even appealing to consumers and small business vulnerabilities. They're sending out emails under the name of some software security providers saying, oh, you must be concerned about these terrible cyber criminals. Well, tap onto this, and we'll tell you how to look after it. So, they're even playing off that anxiety. But you know, together, we can take steps. It's not beyond any individual business to take certain action steps. And as you pointed out yourself, if you've got records and maybe a credit card attached to an account, maybe have one with a low balance that you only used for those e-commerce transactions, and that way, if you do lose control of it, that financial loss is as minimal as it can be.
Nicole Overall
That's great advice as well, and so many different elements and aspects that are going to require ongoing awareness and vigilance. But Bruce, thanks for joining me this afternoon, and we just encourage everyone to take advantage of the help and support that is out there.
Bruce Billson
Perfect Nick. Thank you.
Nicole Overall
Good on you. Thanks so much Bruce Billson there, the Australian Small Business and Family Enterprise Ombudsman, talking about help for businesses that are facing increasing instances of cyber-attacks.