RESULTS FROM THE SBAA MEMBER SURVEY AND INDUSTRY RESEARCH
The cyber security landscape faced by Australian SMEs is complex and continuing to evolve, however significant obstacles exist that prevent SME’s from implementing good cyber practices. According to the ACSC 2020 Small Business Survey Report, these barriers include a lack of guidance to complying with relevant legislation, difficulty in interpreting technical information, a lack of understanding of the risk, likelihood and consequences of a cyber incident, and the absence of a cyber response plan. To investigate these issues, quantitative research of SME’s was undertaken by conducting a survey to understand their experiences and perceptions towards cybersecurity practices and understand why SMEs struggle to achieve practical cybersecurity standards. In addition, the research focussed on why SMEs are still not diligent in cyber security and who they feel should be responsible for cyber security incidents.
The insights obtained from this research, along with a review of available literature, were utilised to develop a series of recommendations with the goal of improving SMEs’ (and Australia’s) cyber security resilience. To accomplish this research, the Small Business Association of Australia (‘SBAA’) collaborated with a team of academics from the University of New England (‘UNE’) and Ducere Global Business School (‘Ducere’) who were tasked with formulating the research methodology and conducting the subsequent survey among SBAA members. This report provides an overview of the survey results, accompanied by key analysis and recommendations derived from the findings.
Key Insights & Findings:
- 68% of respondents consider cyber security to be a top priority
- 60% of respondents cannot afford cyber security services, or rely on low cost, free or open-source software/tools.
- 36% of respondents have a cyber security plan in place and are actively training their staff, while 12% of respondents are not actively using the cyber plan currently in place.
- 47% of respondents believe the software and technology they use provides adequate protection, however, 38% of respondents would pay more for additional support.
- 94% of respondents feel the government should provide greater support with the most popular being: Government provided financial Support
- Respondents feel Everyone should be held accountable for cyber security with greater Government provided financial Support
Recommendation 1: Development of a Cyber Security Act
Given 94% of respondents to the survey believe Government should provide greater support and assistance, Australia would benefit from enacting a holistic, Cybersecurity Act, similar to the Act implemented by the European Union. The Act would provide a single source of truth on legislative requirements for SMEs. By integrating the responsibility for developing, implementing, promoting, and enforcing all relevant cybersecurity legislation, regulations and standards, and developing an overarching cybersecurity framework, Australia will be in a better position to safeguard itself and mitigate the risks posed by cyber threats and attacks.
Recommendation 2: Economic Incentives to drive Cyber Security Resilience
60% of respondents to the survey highlighted that the cost of cyber security was a barrier to the effective management and/or implementation of prevention, monitoring, or education programs within their business. On average, Australians spent A$5.6billion on cyber security products and services in 2020 highlighting the cost of cyber-related products in an Australian context alone. With cost such a consideration for small business, developing financial incentives and improving access to equitable funding schemes would inevitably lead to greater proactive cyber security management.
The following government schemes should be implemented to support a larger uptake of cyber security measures across SMEs or the community more broadly:
- Financial grants available to start-ups and new small businesses operating online (without a physical presence).
- Subsidised financial support (capped) for small businesses to enable the purchase of cyber security insurance.
- Subsidised financial support for businesses that require cyber security consulting services to develop appropriate business continuity plans and incident management processes to support quicker return to operations, post cyber-attack.
- Funding grants for businesses that support and deliver initiatives that enable government-led self-sovereign identity (SSI) management outcomes.
- Reduced taxes for small businesses that have adopted the ACSC’s Essential 8 or shown they are implementing measures that will align to Essential 8 requirements.
- Financial incentives for SMEs that support cyber threat intelligence sharing and monitoring.
- Financial incentives for students that enrol and complete a Bachelor of Education and subsequently teach students in Australia’s K-12 education programs for a minimum of four years.
- Financial grants for member-based associations to support the development and implementation of cyber security learning and development programs.
Recommendation 3: Self- Sovereign Identity Management
Self-sovereign identity management (SSI) is a digital identity management system that enables individuals to control their data and how it is shared. The concept relies on a triangle of trust between the owner of the digital identity (the user), the issuer of the credential (trusted entity), and the identity verifier (3rd party). The underlying protocols of SSI are verifiable credentials, decentralised identifiers, and distributed ledger technology. SSI would address the rampant issue of data breaches being experienced within Australia and more broadly across the globe. With 77% of survey respondents admitting to storing PII, a decentralised approach to data storage, coupled with robust encryption and cryptographic mechanisms, establishes an unprecedented level of security. Essentially, creating a transformative solution to the persistent problem of data breaches, while reducing the likelihood of small businesses remaining as prime targets to cyber threat actors.
An Australian Commonwealth government-led SSI would be gamechanging for businesses, enabling them to store proof, not data, thus meeting the needs of customer privacy demands and regulatory requirements. Reducing the liability for SMEs, through the utilisation of a decentralised blockchain-based ledger, reduces data storage/management costs, decreases cyber security threats, and increases legal compliance. Adopting SSI gives the control back to the user, fostering a more secure method of storing sensitive information and driving citizens’ ability to self-manage access to their digital identities.
Recommendation 4: Secure-By-Design Legislation
Secure-by-design means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure. Currently, the ACSC along with international peers such as CISA, the FBI and the NSA have developed a guide to support manufacturers to understand best practice secure-by-design principles. These principles merely promote security outcomes and allow manufacturers and developers to determine whether to prioritise security based on their individual preferences and commercial considerations.
An opportunity exists to legislate that products and services that are Australian-produced and/or provided to the Australian market, must demonstrate minimum security standards using best practice secure-bydesign principles; and, which remain contemporary through the lifecycle of the product. This proactive approach to security would ensure that secureby-design is a fundamental component during engineering design phases, with a consumers’ security core to development, and not an ‘optional extra or add-on’ (which vendors currently view as an overhead or potential risk to commercial viability).
Recommendation 5: Enhance Design Intelligence Through Industry Partnerships
While Internet Service Providers (ISPs) actively monitor for malicious SMS activity, this is far from the only area of concern when it comes to monitoring malicious cyber activity. CISA notes that 70% of all attached files or links containing malware are not blocked by border protection services. Opportunities exist to enhance ISP and telecommunication monitoring activities, through augmented information and cyber threat intelligence sharing capabilities and greater strategic partnerships. When sharing communities are substantively and technologically optimised for cybersecurity, participants benefit from expertise and insights which may otherwise be unavailable to them with respect to developing threat vectors, mitigation of specific cyber risks, and real-time coordinated responses to hostile cyber events. As such, a unique opportunity exists for Australia to create a whole of nation information and cyber threat sharing ‘centre of excellence’, bringing together the various monitoring tools and capabilities across the diverse cyber community into a centralised sharing platform with the aim of enhancing Australia’s decision intelligence in preparation for cyber events.
By doing so, Australia can develop large repositories of cyber threat intelligence, enhancing our understanding of the evolving threat landscape, and the tools and capabilities required to mitigate those complex and pervasive threats. Furthermore, by openly sharing information on the threat landscape by creating genuine strategic partnerships, all elements of Australia can understand the realities of the cyber threat and continue to contribute meaningfully by sharing individual cyber experiences. By proactively engaging in this way, the community can understand the material impact these threats may have to their livelihoods, personal privacy, and safety.
Recommendation 6: Mandate Cyber Insurance for Relevant Businesses
The Insurance Council of Australia states that 20% of Australian SMEs and 35-70% of larger businesses have standalone cyber insurance. With the ever-increasing volatility of the cyber security landscape, the development of cyber insurance leveraging contemporary knowledge of cyber risks is a challenge. The Royal United Services Institute states that the industry is also struggling to collect and share reliable cyber risk data that can inform underwriting and risk modelling, which further compounds the ability to develop cyber insurance assessment and outcomes in a dynamic manner.
Some forms of insurance, like worker’s compensation and public liability insurance, are required by law. However, there is no current legal requirement for businesses to have cyber insurance in an Australian context, which limits the ability for businesses to receive support and/or compensation in the event of a cyber-attack.
Australia’s public/private health partnership is a positive example of where government and industry can work together to benefit the community. Therefore, replicating a similar insurance model for cyber security should be considered. For this approach to be effective, the government could support a portion of the cover, such as first-party, and consider converting continency into a fixed cost delivered through private industry, such as third-party. Additionally, legislatively mandated cyber insurance for all businesses with a valid ABN would continue to build a stronger cyber security posture – as cyber security incidents don’t only impact businesses operating in a digital context, cyber events can impact numerous others too. The Cybersecurity Act would include cyber insurance requirements and proscribe the applicability of the mandate, building the mechanisms to enforce cyber insurance governance. Furthermore, financial incentives and subsidies would be provided to those businesses meeting ACSC cyber security standards.
Recommendation 7: Integrate Cyber Security Into The Education System
The Australian Government recently introduced a third stream in the National Assessment Program – Literacy and Numeracy (NAPLAN) titled “Digital Technology” (Department of Education, 2020). The objective of this initiative is to standardise the assessment of Australian students’ technology and cyber awareness. However, while standardising assessments of student digital literacy is a good starting point, research suggests that it is imperative to extend cyber security education beyond the realm of information systems programs. The integration of cyber security into more diverse fields ultimately encourages a multidisciplinary approach to tackling cyber threats and enables students to gain a comprehensive understanding of the far-reaching societal impacts of cyber security.
Practical hands-on education and training should be emphasised in cyber security education. Research asserts that real-world case studies, practical exams, and hands-on lab experience can significantly enhance internet users’ awareness of cyber security issues as opposed to theoretical learning practices. Further research also suggests that practical experiences are vital in developing the problem-solving skills required in the field of cyber security.
To effectively implement cyber security education in the Australian K-12 curriculum, an ongoing and collaborative effort between Australian academia, government, and industry should be considered. NIST offers an example of this unified model with the launch of the National Initiative for Cybersecurity Education (NICE). The partnership serves as a thought leader and guide for educators in developing curricula, tertiary programs, courses, seminars, and training programs. By considering a similar approach, the Australian Government can support educational institutions in developing a cyber curriculum that aligns with Australia’s dynamic and ever-evolving cyber landscape.
Australian universities also play a crucial role in bridging the educational gap that exists among aspiring teachers. By implementing cyber security as an independent subject within a Bachelor of Education, institutions can cultivate an environment where future teachers are confident in tackling cyber-related challenges in their future classrooms.
SMEs are a significant contributor to Australia’s economic prosperity and are often left out of critical consultation processes. This study has highlighted the importance of effective engagement with SMEs to gain relevant insights into the impact of cyber security and cyber security measures on their business. The collaboration between SBAA, UNE and Ducere has provided valuable insights and produced evidenced-based recommendations. The recommendations are summarised below:
By implementing these recommendations, Australia can strengthen its cyber security landscape, empower SMEs to mitigate risks, and foster a culture of cyber resilience. Collaboration between government, associations, educational institutions, and SMEs is crucial in achieving these goals and ensuring a cyber safe future for the nation.