Cyber security for SMEs and startups

Solid cyber security is one of those things SME owners and startup founders realise is important but often struggle to get around to focusing on. Unfortunately, cybercriminals don’t make any allowances for busy business owners who haven’t had time to creating a secure cyber posture. Increasingly, neither do regulators, customers or suppliers.

Supranational groups, such as the European Union (EU), and national governments, including Australia’s, have been tightening up laws around the collection, storage and use of data since 2018. Businesses that suffer a successful cyber attack are now required to notify the relevant regulator and any potentially impacted stakeholders and may also have to pay heavy fines or penalties. In the wake of a serious data breach, they may find their options limited if they wish to IPO, list or get acquired at some future date.

While cyber security remains more of an art than a science, there are some basic precautions all business owners can take. Understanding the risks they face, taking action to mitigate those risks, and taking a proactive rather than reactive approach to cyber security is a good start.

It’s difficult to determine exactly how cyber secure Australia’s SMEs and startups are. Nonetheless, there appears to be a widespread consensus that there is room for improvement, especially in industries that haven’t historically had an ethical or legal obligation to protect their customers’ data.

Cybercrime is an enormous industry, projected to inflict US$10.5 trillion (A$15 trillion) in damages globally by 2025. Australian regulators, lawyers, investment bankers and cyber security experts, not to mention SME owners and startup founders themselves, all seem to agree that while most Australian businesses have basic cyber defences in place, in many cases these defences should be substantially upgraded.

If they are not upgraded, those who own or oversee businesses can no longer expect much wriggle room from regulators or courts. There are currently moves afoot to hold directors personally liable for failing to appropriately manage cyber security risks. And in recent times, Australian businesses have had to pay out hundreds of thousands and sometimes millions of dollars for failing to properly use or safeguard their customers’ data…