Step 1: People

Having robust processes and up-to-date technology is part of the cybersecurity puzzle, but there's another crucial piece that shouldn't be underestimated – the human element.

Successful cyber attacks typically involve a business owner or one of their employees being tricked into opening a phishing email, purporting to be from, say, a financial institution. Or being duped into downloading a virus.

It's important to build a culture of cybersecurity where every employee has a role to play and where cyber vigilance is baked into your way of working.

Raise general awareness

The people in your business – ranging from the most senior partner to the most junior intern – may not be aware of how prevalent cyber crime is and how vulnerable finance industry SMEs are.

So, the first step is to raise awareness. This can be done by:

  • convening an informal group chat
  • sending an all-employee email
  • running a ‘security week’ with fun security games and quizzes
  • arranging an offsite cybersecurity training day
  • making cybersecurity training part of the induction process for any new hire.

Identify specific threats

Cybercriminals are incredibly enterprising and they’re constantly developing ingenious ways to extract money or data from their victims.

While it’s difficult to educate yourself about all the cyber threats out there – from phishing, smishing and whaling, to ransomware and business email compromise – it pays to stay across current scams to better protect yourself, your business, and your clients.

During the lockdowns, malicious actors exploited the disruption created by remote working to engage in a form of phishing called business email compromise. That is, they convinced individuals struggling to adjust to unfamiliar working arrangements to pay fake invoices, to send shipments of goods to fake clients, or to start paying employee salaries into a ‘new’ bank account.

To help mitigate the risk of falling foul to these types of scams, and potential financial and reputational damage that can result, you can keep up-to-date with the latest cyber scams at the Australian Competition and Consumer Commission (ACCC) Scamwatch website.

Have a communications plan in place and share information about the latest scams via email, articles on your intranet or in regular cybersecurity catch-ups.

Create a cybersecurity-conscious culture

While it's impossible to create business processes that allow employees to recognise and deflect every conceivable cyber attack, you can create a 'safety culture' that prioritises cybersecurity.

To help illustrate this point, most employers have now encouraged the development of safety cultures that help minimise the risk of a workplace accident. There is no reason why similar cultures could not be introduced to help minimise the risk of cyber attacks.

What does such a culture look like in practice? It’s one where employees, among other things:


Senior leaders' special responsibility

Senior leaders need to be especially focused on cybersecurity for two reasons.

The rest of the workforce is only likely to take cybersecurity seriously if they see those at the ‘pointy end’ of the organisation doing so.

Governments around the world are now looking to reduce cyber crime by holding corporate decision-makers – rather than difficult-to-apprehend cyber criminals – accountable for cyber attacks.

For example, the Australian Government is currently considering holding directors responsible if they fail to adequately manage cybersecurity risks.

So far, it’s only directors of listed companies in the crosshairs. But it’s not hard to imagine accounting firm partners being held to a similar standard one day soon.

Rather than waiting for that day to arrive, why not be proactive and immediately start educating your firm’s workforce about the very real danger posed by cyber crime?

Stay aware of new threats

Check the Australian Cyber Security Centre website regularly