15 August 2017

'Cyber security threats and small businesses', Address to the Cyber Plus small business cyber security bundle launch, Parliament House, Canberra

Note

Check against delivery

Good morning, everyone.

It's great to be here for the launch of the Cyber Plus small business security bundle.

As Minister for Small Business, it's always fantastic to see service providers customise their products to suit smaller operators.

Moreover, I think the launch of your small business service is incredibly timely.

It comes at a time when cyber security matters a great deal to our economy.

In fact, it matters to small businesses, and it matters to the Coalition Government.

In launching Australia's $230 million Cyber Security Strategy last year, the Prime Minister said:

The challenge we face is that the same qualities that enable us freely to harness cyberspace for prosperity can also provide an avenue for those who may wish to do us harm.[1]

It's a challenge that applies to Australia's 3.2 million small businesses which are online more than ever — in fact, 93 per cent are connected to the internet.[2]

Like all of us, the internet is indispensable for small operators.

It's essential for all matter of day-to-day activities; business-to-business transactions, banking, email, online sales and advertising. The list goes on.

While the internet delivers small businesses so much good, unfortunately the chances of a cyber security incident pulling the rug from beneath their feet are high.

Cyber security threats

The Australian Cyber Security Centre doesn't mince its words — it says experiencing a cyber security incident is not a matter of if but when, and what type.

It found that 90 per cent of organisations faced some form of attempted or successful cyber security compromise during the 2015–16 financial year.[3]

Cyber security threats come in many shapes and sizes — and there are becoming increasingly sophisticated.

Ransomware

Let me give you a quick sample, starting with ransomware — one of the most frequent and damaging types of malware.[4]

The WannaCry and Petya ransomware campaigns drive home the reality that cyber criminals can and do cause widespread and indiscriminate damage.

Australia was fortunate that it didn't suffer as much as other countries, but there were Australian victims. And, unfortunately, they were mostly small businesses.

Ransomware can spread in a range of ways. In the case of WannaCry and Petya, the malware spread through computers whose Microsoft operating systems had not been updated.

But they can also be spread through emails.

All it can take is one click on an email attachment or link to download the ransomware, bringing a system to a grinding halt.

Once present on a computer the ransomware encrypts the data and demands payment — usually in bitcoin — for its release.

But, even for those who pay up, there's no guarantee they'll recover their systems.

So it's important that businesses ensure their software is up-to-date and their information is regularly backed up to an external source.

Unfortunately ransomware is something we're only going to see more of — the Australian Competition and Consumer Commission (ACCC)'s scam activity report reveals the number of ransomware emails to businesses is increasing.[5]

Spear-phishing

The Australian Cyber Security Centre also lists spear-phishing as a threat — one that is becoming more convincing and difficult to spot.[6]

Rather than a casting out a wide net, spear-phishing is a carefully crafted and highly personalised form of cybercrime.

A small businesses owner may receive an email which appears to be from a familiar contact.

It might have correct signature block, relevant details about a project and it may have an attachment or zip file which appears to be a PDF.

However, opening the malicious attachment triggers the planting of malware — which can lead to a world of pain.

Small business initiatives

These cybercrime examples all lead to the same conclusion: prevention is better than cure.

The Australian Cyber Security Centre says the costs of compromise are almost certainly more expensive than preventative measures.[7]

According to a Norton survey, Australian small business operators suffered an average financial loss of just under $6,600 per incident.

But the costs add in other ways, too.

Small businesses said they felt most impact of cyber security incidents through downtime, the expense of re-doing work, inconvenience, and data loss.[8]

Damage to reputation is, of course, also a lingering factor.

Despite this, the challenge for all of us here today is that cyber security is often a low priority for small businesses with limited resources.

Stay Smart Online says some of the cyber security downfalls for small businesses include unaware staff, out-of-date software and no back-ups.[9]

The Norton Survey said 'almost a quarter of small businesses have no internet security solution, many have no professional IT support and little interest in cyber insurance.'[10]

As a former small business owner, this is understandable but also concerning.

Grants

That's why the Government is taking action to assist small businesses so they can better secure themselves from cyber threats.

We are providing grants of up to $2,100 to co-fund small businesses to have their cyber security tested by CREST ANZ-approved service providers.[11]

The grants — expected to open for applications this financial year — will enable around 5,000 small businesses to test their cyber security resilience.

Webinars

We are also ramping up awareness within the small business community through a series of cyber security webinars.[12]

The Australian Small Business and Family Enterprise Ombudsman, Kate Carnell, said just about every business with a physical shopfront has an alarm and takes security precautions, but not every business is aware of cyber security.[13]

We need to change that.

The Entrepreneurs' Programme — an initiative of the National Innovation and Science Agenda — will continue to deliver a five-part webinar series over the next few months.

The webinars come on the back of a set of special cyber security resources which I released earlier this year.

This included an alert service and tips for businesses.[14]

Telecommunications

On top of that, the Government is speaking with telecommunications companies to find out if they can do more to protect customers.

We believe there are opportunities for telcos and other online service providers to stop threats before they reach end users like small businesses.

It's a combination of many things that will make the difference.

Resilience taskforce

Looking at the bigger picture, more recently, the Prime Minister announced the Cyber Resilience Taskforce.

The Taskforce will drive fast action to improve Australia's capability and response to cyber security and cybercrime threats and incidents.

This taskforce is leading new areas of work focusing on tackling cyber-crime, supporting small business, securing critical infrastructure and building cyber resilience.

The bottom line, as the leader of the taskforce said, is that 'we must have trust and confidence in our online interactions.'[15]

Industry development

On a different front, the Government recognises the value of having a vibrant and globally competitive cyber security industry in Australia.

That's why we've allocated over $30 million to fund the new the Cyber Security Growth Centre.

We want to create opportunities for Australian businesses to grow their cyber security operations and reach new markets with their innovations.

The global cyber security market is, after all, estimated to be worth close to US$170 billion by 2020.[16]

Closing remarks

So there's a lot happening in this area.

And I'm glad that many of you here today are part of the action — and part of the solution.

Let me finish by, again, thanking you for tailoring your products and services to meet the demands of small businesses.

Today, I've outlined some of the cyber security challenges for small businesses. And I believe where there are challenges, there are inevitably opportunities.

Opportunities for small businesses to be more proactive; opportunities for government to do more; opportunities for the cyber security protection industry to develop better products and services.

I'm pleased Cyber Plus is stepping up to the mark.

If you can provide small business operators with a complete solution — something that provides both value for money and peace of mind — then I wish you every success.

Thank you.

1 - Speech — Prime Minister of Australia — Launch of Australia's Cyber Security Strategy Sydney, 21 April 2016

http://www.pm.gov.au/media/2016-04-21/launch-australias-cyber-security-strategy-sydney

2 - Sensis e-business report 2016 https://www.sensis.com.au/about/our-reports/sensis-ebusiness-report

3 - https://www.acsc.gov.au/publications/ACSC_Cyber_Security_Survey_2016.pdf

4 - https://www.staysmartonline.gov.au/alert-service/australians-need-apply-latest-software-updates-protect-against-new-global-ransomware-campaign

5 - https://www.accc.gov.au/system/files/1162%20Targeting%20Scams%202017_FA1.pdf

6 - https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf

7 - https://www.acsc.gov.au/publications/ACSC_Cyber_Security_Survey_2016.pdf

8 - http://now.symassets.com/content/dam/content/en-au/collaterals/datasheets/cybersecurity-simplified.pdf

9 - https://www.staysmartonline.gov.au/news/top-5-cyber-security-mistakes-small-businesses

10 - http://now.symassets.com/content/dam/content/en-au/collaterals/datasheets/cybersecurity-simplified.pdf

11 - https://www.business.gov.au/assistance/cyber-security-small-business-program

12 - https://www.business.gov.au/events/webinar-series-cyber-security-for-your-business

13 - http://www.asbfeo.gov.au/news/news-articles/cyber-security-growing-issue-small-business

14 - http://mfm.ministers.treasury.gov.au/media-release/010-2017/

15 - https://www.pmc.gov.au/news-centre/cyber-security/cyber-resilience-taskforce-cyber-security-sprint

16 - http://www.minister.industry.gov.au/ministers/hunt/media-releases/new-growth-centre-help-australia-become-global-cyber-security-leader