Just over $7 million has been allocated to establish a voluntary business cyber health-check program, with a free, tailored self-assessment of their cybersecurity maturity. A further $11 million has been allocated in a Small Business Cyber Resilience Service, which will provide assistance to small businesses navigate cyber challenges and walk them through the recovery from an attack.
Small firm, greater risk
John Macpherson, head of cyber response at global law firm Ashurst, said threat actors regularly targeted smaller players to get to bigger fish.
“There are many smaller companies that play critical roles in the financial services, energy and healthcare sectors, and they will increasingly need to demonstrate – hopefully with government support – they can be, themselves, cyber secure,” he said.
The corporate watchdog last week released a report revealing small business were cyber immature compared to their larger counterparts.
Small business scored, on average, 1.42 out of four for cyber protection, 1.34 for detection, 1.36 for response, and 1.28 for recovery, The Australian Securities and Investments Commission’s 2023 cyber pulse survey found.
Worryingly, it found 34 per cent of small businesses did not follow or benchmark against cybersecurity standards; 44 per cent did not perform assessments of third-party vendors; 33 per cent had limited capability for multifactor authentication; and 45 per cent did not scan for vulnerabilities.
“Considering small organisations are regularly required to manage competing priorities with limited financial and human resources, it’s unsurprising that they consistently reported a lower level of cyber maturity capability than medium and large organisations,” ASIC said.
“For many small organisations, outsourcing is essential to managing cyber risk. These relationships can become critical to their success.”
The Australian Signals Directorate – the nation’s spies online – responded to more than 1100 cyber incidents from local entities in 2022-23. Meanwhile, almost 94,000 cybersecurity reports were made to law enforcement through ReportCyber – around one every 6 minutes – up 23 per cent year-on-year.
The average cost to small businesses was $46,000.
Other changes that will be in the cybersecurity strategy include mandatory reporting for cyber ransoms under a no-fault scheme that will allow paying ransomware gangs – 10 per cent of incidents the ASD responded to last year were ransomware or similar – and the establishment of an intelligence-sharing partnership between big business designed to block scams.