Cybersecurity explained in business language

Cybersecurity explained in business language

First up, you need to know that cyber threats are real and are affecting Australian businesses. Unfortunately SMBs are a common target (48% of all cyber attacks) as they are seen as a soft and easy target.  We have firsthand experience with cyber threats vs SMBs.

But lets clear up what cybersecurity is, and isn’t, and make sense of what you need to know versus the hype and scare tactics.  

Cybersecurity, or Information Security as it was originally called, is a much hyped and talked about subject.  The media sensationalise, the government proclaim, vendors promise and yet there has been next to no improvement in Australian businesses poor security preparedness.

This article is here to help you, a business leader, understand this domain and what it means to your business.

What is Cyber Security?

Cybersecurity (cyber security) can best be described as information security - protecting information and the systems that collect, manage, store and use information.

Whilst information is information, we as cyber security professionals focus on the information that matters most - referred to as sensitive information/data.

Sensitive information/data is any information that matters to legal or financial compliance, such as privacy data or payment card data, or information that is essential for your business or your customers; 

  • identity information such as names, date of births, licence numbers, tax file numbers
  • credit card or financial details
  • customer lists
  • Product pricing or information
  • Usernames or passwords
  • Legal documents
  • Intellectual property
  • IT diagrams or documentation
  • Application or cloud code
  • Systems that are critical to your business operating (POS, ERP, payroll, website, finance, infrastructure)

Why does some of this data matter?

Sensitive data is data that can cause harm; to your business, to your employees or your customers.  Some scenario’s make it a bit clearer:

  • A name and address of a vulnerable person is leaked and a hostile party gaining access to that can cause physical harm
  • A username and password is leaked and an unauthorised person(s) gain access to your systems to Steal data
  • Peoples privacy details are lost/leaked/stolen (such as names, dob’s), resulting in a Privacy breach, which requires mandatory reporting, and can carry large financial penalties (for the business and leaders personally) with amounts up to $$Millions for the business and $Hundred Thousands for the individuals.
  • Your pricing is lost and a competitor undercuts your business (normally an overseas country - such as China which is synonymous with stealing data and undercutting local markets)
  • Code is leaked on GitHub that has access keys/tokens or passwords, granting full access to your apps or systems

These are just some examples.  it is worth pausing and considering what sensitive data your business has and what would happen to your business should the worst happen.

Who are the the Bad Guys

There are many people, organisations and even countries that are hungry for your data, or to put your business out of business.  Competitors, both local and overseas, cyber criminals who want to profit from your loss, spy/hacking agents from other countries seek to steal your business/IP/customer details, or hackers who just want to disrupt and cause chaos.

Some common terms you hear in relation to the bad guys, also called bad actors, attackers, hackers, cyber criminals, nation state hackers . . . 

Ransomware:  A type of cyber attack where your systems or data are encrypted (locked) and you cannot access them. A ransom is normally required, often in Bitcoin, for the cyber criminals to give you back your access. The bad side of this is, even if you pay the ransom you may not get your data and access back . .  .and, they still have a copy and have access to your systems.  If this happens to you, contact us to assist (or another reputable Cybersecurity Company).

Phishing: basically dangling an email like bait to get someone to click on it, go to a bad website (or open a bad attachment) that steals a persons username/password or other information for the bad guys to gain access to your systems and information,  This one is the most common attack because it is successful, people fall for it. (Like here is your tracking pdf for the product you never actually ordered).

Credential Theft or Compromise: There are many ways that bad guys steal peoples username and passwords, and sometimes they don’t even steal them, they buy them on the dark-web (the underground internet). The most common form of theft is via phishing. The most common source of buying is when a company has a data breach that contains usernames and passwords of their customers. Attackers then use scripts, basically mini programs, to see if those credentials (username/password) work for other sites, like Facebook, X, Instagram, TikTok and other websites.  Of course, they have great success with this because people re-use the same password for many services.

Data Breach:  This is when data is lost or stolen from a business. For most Australian businesses, you are now required to tell to Office of the Australian Information Commissioner (OAIC) that this has happened.  Fines, penalties and extra compliance may follow, for the business and directors/leaders personally.  Also, customers may need to be notified, resulting in lost trust and most likely lost business.

Malware or Malicious Software: This is the software, or app, that carries the ‘virus’ or malicious script/program that sets everything up for the bad guys.  This software usually gets installed when people click on phishing attachments, or links and go to the bad guys website (that often looks exactly like the site they have cloned).  Depending on how advanced the malicious software is, it may be detected or maybe not.  Old skool anti-virus rarely catches anything, the bad guys test first to be sure they get past it. Next-gen or more advanced Endpoint Detection & Response (EDR) software is normally required because this monitors the computers system files and the like.  This applies equally to desktops, laptop, tablets and mobile phones - they are all targets for the bad guys.

You can probably understand now why most SMBs go out of business after a successful cyber attack.

Now is a good time to pause and think of your business in the light of all this.

What sensitive data do you have, hold or use?  What would happen if that was lost, stolen, or in the hands of a competitor (local or overseas).

What would happen if you were locked out of your own systems?

What security do you have today? Would you even know if someone was already in your systems and stealing your data?

Next time around we will talk about some of the things you can do, and what you need a reputable Cyber Security company to do for you.

Until next time, be smart and be safe. Don’t share or re-use passwords across more than one system or app :)

Small Robot are a cyber security and technology company with a key focus on securing small to medium business (SMB) and mid-sized business (SME).  We partner with key players, like Cisco, who provide us with large business/enterprise level technologies that we can leverage at an SMB price point, that, when coupled with our skill, experience and security detection & response system provide SMBs with cost effective and highly capable security protection.