Its data shows not only is cybercrime becoming more frequent, but it is also growing more expensive. Last year, small and medium businesses lost an average of $39,000 and $88,000 respectively, per reported breach — and the bigger a business, the more at risk it may be.
“Larger businesses tend to attract exponential interest from fraudsters. Their turnover might be one hundred times larger than another business, but they are 1,000 times more likely to be a target,” says Sam Crowther, founder and chief executive of cybersecurity firm Kasada.
“From their point of view, the risks are similar but the rewards on offer are far bigger so they think that they might as well go for the jackpot.”
There is far more at stake however than a one-off financial loss. Even if a business can sustain the immediate fallout, it may take months or even years to rehabilitate its image, says Lorenzo Schirru, Head of Fraud, Strategy, Risk and Governance at Macquarie’s Banking and Financial Services.
“The damage to a business’ reputation and brand can be enormous. There can be customer attrition and customers may openly question your business and ask, ‘well, am I safe with you?”
Eli Glotzer, Head of New and Emerging Growth Industries at Macquarie Business Banking, says cybersecurity has become “one of the key challenges for small to medium-sized enterprise” and one business owners cannot afford to be complacent about.
“If you were unable to trade for a week, if you couldn't access any systems, or if you incurred a significant financial loss, would your business be able to survive?” asks Glotzer.
“If the answer is ‘no’, then the next question is logical. What are you doing to mitigate that risk?”
A spate of recent high-profile data breaches underlined the danger that such attacks pose to both businesses and clients alike.
In some cases, criminals may pursue a ransom while in others they might then use customer information to target individuals directly.
“We’ve recently seen a massive uptick in attempts to crack into people’s accounts,” says Crowther. “They’re targeting retailers, trying to get access to customer accounts and steal credentials or steal any credit they might have.”
As a result, businesses need to be on high alert. Schirru says it is essential customer data is treated as a business priority. Key to this is clarifying what information the business actually needs from customers and what their responsibilities are when recording it.
“If they securely store customer data — and only hold customer details they actually need — then even if they were to be targeted for a breach, they're less likely to actually suffer any type of information loss and, consequently, a financial loss.”
Often an attempt on a business will first show up in an inbox, with 91% of all cyberattacks starting with email4 , according to Microsoft.
One of the most common methods is known as a Business Email Compromise attack in which criminals impersonate a known person in order to fraudulently obtain access or money — sometimes even sending a message from an authentic email address.
In Australia, they cost businesses $227 million in 2021, the most of any scam affecting businesses, according to the ACCC.5
In one example, Glotzer explains that a property buyer received an invoice they were expecting from an agency and paid over $50,000 into the account nominated in the invoice. The email address the communications originated from was legitimate, but the bank details were not. The money was diverted immediately from the nominated bank account and stolen from the property buyer.
In this instance, the customer willingly transferred the money, albeit unknowingly to the wrong account. Not only did the property buyer lose their money, but they also still owed the sum transferred into the fraudster’s account to the legitimate vendor.
In sectors where substantial sums of money are commonly being transferred, the risks posed by these types of scams are particularly acute.
“If your business is making large payments to suppliers and they are writing to you to confirm that they've changed their banking details, how are you validating the legitimacy of this information? What are the processes that you are identifying and establishing to help mitigate the risk of fraud?” says Glotzer.
One simple way is to use agreed and distinct communication methods.
“If you receive a change of account message from a supplier, standard practice should be to contact their business verbally to validate the communication and account details, to make sure it’s legitimate. And check that the number that you call on the invoice matches your system records, as fraud is increasingly sophisticated, and seemingly authentic. It might take a little extra effort, but it could save your business financially.”
Types of attack can differ, but many rely on the same things to be successful: human error. In any process, people are going to be a primary target.
“If you look at scams and the way that they've evolved, it's all around social engineering,” says Schirru. “Why would I bother trying to break into your house for example if I can convince you to open the front door and help me load the truck?”
To that end, all it takes is one staff member to fall victim to expose the entire business. Business owners cannot monitor every threat their entity faces but they can ensure their employees’ training is up to speed on how to spot a warning sign.
This might involve running simulations of phishing emails to check that staff are recognising red flags— such as spelling mistakes, urgent language, and dubious links — and reporting anything suspicious they might receive. In other cases, it might be ensuring you have systems in place for dealing with incoming calls.
Businesses need to remain vigilant and ensure they are validating who they're speaking with when dealing with external communications.
Not every small business has the scale to employ a full cybersecurity division, but that does not mean they do not have other resources at their disposal.
“Most businesses would be working with a managed service provider, or MSP. Those are there to help businesses manage documents in the cloud, their websites, their cyber risk frameworks and data storage practices,” says Glotzer.
“Businesses should be thinking about how they’re partnering with their MSPs and making sure they have a clear checklist of the things you want them to be covering and advising you on.”
In an inflationary environment, business leaders may be looking to cut as many costs as they can, but they cannot risk skimping on security.
“You need to look at it like a form of insurance or business continuity plan, where you’re paying a premium to help protect against huge downside risk,” says Glotzer.
“Any asset that has a value should be protected, be it personal property, or a business. People wouldn’t consider leaving their home unnecessarily vulnerable to theft. Cybersecurity protects business value, and client trust.”
In fact, if costs are a concern, a compelling business case could be made for engaging external partners.
“It can be really advantageous because it's usually far cheaper and it means you get access to far more experience and knowledge than you would ever be able to build internally,” says Crowther.
While business leaders are treating cybersecurity as a key priority, things can still go wrong. In case they do, it is crucial contingency plans are ready to go.
“If there’s a fire, employees know that they’ll need to evacuate the building and meet at a certain location down the road. The same principles go for your cybersecurity,” says Schirru.
“You've got to have playbooks in place on how to respond to an event. That might involve things around who to report to, what cascading communications look like and what other prudent risk management practices are there.”
For those plans to kick into action, there must also be a culture of transparency. Mistakes inevitably will be made so staff need to feel comfortable reporting them.
“Once someone discovers an event, they have to make it known as quickly as possible so that you can actually do something about it,” says Schirru.
That should include informing your bank — and possibly your partners and suppliers — about what has happened, he adds.
“If something has happened to one of our Business Banking customers, which could ultimately impact their customers, then that is something they need to bring to our attention as quickly as they can, so that we can find out first what happened, what the scale of it is and what we can do to remediate.”
While banks cannot advise a business directly, Macquarie may be able to direct customers to its fraud team if they are worried about a particular event or compromise.
But even when things go wrong, Schirru reminds customers they should never disclose their banking details, passwords or security codes to anyone, including their own bank.
When assessing their cybersecurity, robust businesses start by analysing where the biggest risks lie.
“You have got to understand what is most valuable and ask yourself what someone would want to steal and that will change industry to industry. For law firms it might be sensitive documents whereas for a construction company it could be intellectual property,” says Crowther.
“So, you rank your assets in terms of what could hurt you, whether it’s reputational risk or losing a competitive advantage, and then you figure out your strategy to defend against it rather than the other way around.”
There are no guarantees that what works today will work tomorrow. Businesses should be periodically checking that they have adequate protections in place.
“There is never going to be a single way to protect against cyber criminality. It is important to agree on the governance frameworks that businesses have to help manage ongoing risk,” says Glotzer.
“The risks will evolve as cyber criminals get better at what they do. It’s imperative to stay abreast of change.”
1 https://www.accc.gov.au/system/files/Targeting scams - report of the ACCC on scams activity 2021.pdf
5 https://www.accc.gov.au/system/files/Targeting scams - report of the ACCC on scams activity 2021.pdf
This article has been prepared by Macquarie Business Banking, a division of Macquarie Bank Limited ABN 46 008 583 542 AFSL and Australian Credit Licence 237502 and does not take into account your objectives, financial situation or needs – consider if right for you.
The commentary provided in this article is based on information obtained from sources believed to be reliable, but we do not make any representation or warranty that it is accurate, complete or up to date. We accept no obligation to correct or update the information or opinions in it. Any opinions expressed are subject to change without notice. Opinions expressed in this article by third parties are not representative of the Macquarie Group and no member of the Macquarie Group accepts liability whatsoever for any direct, indirect, consequential or other loss arising from any use of this article and/or further communication in relation to this article. We make no guarantee concerning the accuracy of data and information contained on third party websites.