SMEs vulnerable to cyber security breaches, report reveals

A nationwide survey of more than 1000 SME owners and decision-makers found more than half of them did not have processes in place to manage a cyber security breach. Photo / 123RF

Small and medium-sized businesses lacking cyber security preparedness risk becoming easy targets warns an expert, but a new report shows a significant number aren’t that concerned.

“Many SMEs mistakenly believe they are too small or inconsequential to appeal to cybercriminals, however, this is often not the case,” MYOB general manager of reliability and security Peter Wolski said.

“This thinking can leave these businesses exposed as easy targets for malicious activity and the consequences of cyber breaches can be severe for all involved, including business owners, their employees, and their customers.”

MYOB’s latest Business Monitor – a nationwide survey of more than 1000 SME owners and decision-makers – found 57% did not have processes in place to manage a cyber security breach.

Just 38% of business owners said they had established plans for dealing with a cyber incident, while 6% were unsure of their processes.

While nearly half (49%) of SME leaders surveyed said they were concerned about the cyber security of their business, 47% reported being either not at all or not very concerned.

More than a quarter (28%) said they had been targeted by malicious activity such as malware, online scams, hacks, phishing, or ransomware, according to the report.

“Ongoing education for both business owners and employees is a key component of proactive cyber security,” Wolski said. “Everyone in the team should know how to protect themselves and identify red flags such as potential scams or online phishing.”

The report found cyber security preparedness increased with business size.

More than half of businesses (57%) with 20+ employees reported having processes in place to handle a breach. However, that number fell to 47% for those with 6-19 employees and just 35% for those with under six staff.

Wolski said it was crucial businesses set up robust cyber-security practices to protect them in case of a breach.

It was also a never-ending process, he said.

Wolski said the Government agency National Cyber Security Centre (NCSC) recommended protections such as software updates, multi-factor authentication and backups to help ensure business owners and their teams are protected.

“Unfortunately there’s no finish line as cybercriminals adapt and technology evolves at a rapid pace,” Wolski said.

“Prevention [of cyber threats] is always more effective than treatment.”

Last month, cyber watchdog Cert NZ (now part of NCSC, which is inside the Government Communications Security Bureau or GCSB) revealed $6.7 million in losses were reported to the organisation in the first quarter of this year – an 84% spike over the previous quarter ($3.6m) and 15.5% above the first quarter of last year ($4.2m).

However, it also warned the figures underplay losses as Cert NZ had a reliance on members of the public and small businesses coming forward.

For small businesses, though, fear of reputational damage could hold them back from reporting cyber losses.

Tom Roberts, NCSC threat and incident response team lead, said it was clear there were worrying gaps in business responsiveness to cyber incidents.

“This report by MYOB reinforces other research currently being done by the NCSC, as part of its Cert NZ functions,” Roberts said.

“While large businesses know they could be targets, sometimes SMEs don’t realise they are considered targets, too. It can range from your brand being impersonated on social media, to fake invoice scams aimed at your clients, to full-blown ransomware and data breaches.”

Roberts said they were currently working on a pack of tools SMEs could use to quickly set up internal security policies and response plans for when the worst occurs.

For now, businesses can also access support available through the NCSC’s Own your Online website. The hub offers a range of resources to help SME owners keep their business safe in the digital world, including an online security assessment tool to prepare a customised action plan.

Cameron Smith is an Auckland-based journalist with the Herald business team. He joined the Herald in 2015 and has covered business and sports. He reports on topics including retail, small business, the workplace and macroeconomics.