A lack of cybersecurity measures in the government’s digital strategy will leave SMEs vulnerable

Cybersecurity initiatives for small business were conspicuously absent from the government’s $1.2 billion digital strategy, unveiled yesterday.

The suite of measures, announced ahead of the federal budget next week, pledged ‘over $50 million’ to improve cybersecurity in the government, as well as investment in data centres and telecommunications networks.

But, despite funding designed to boost small business digitisation, none of the cyber spending is heading to SMEs. Experts say this is a blind spot that could leave them more vulnerable than they already are.

Cynch Security co-founder Susie Jones notes that any business operating over the past year has “come to terms with the need to be digital”.

Focusing on digitisation in a bid to boost the economy makes sense, she adds.

“But doing so without a consideration for the new risks technology introduces to small businesses is dangerous.”

Small businesses are already vulnerable to cyber crime, and seen by cyber criminals as something of an easy target, Jones explains.

“Increasing their dependence on technology without incentivising businesses to tackle their cyber risk, will make things worse.”

The government statement also suggests this will build on its $1.67 billion cybersecurity strategy unveiled in last year’s budget.

However, according to Jacqueline Jayne — a cybersecurity awareness advocate at training company KnowBe4 — that’s not necessarily much to build on.

Last year’s budget pledged millions of dollars in funding to “keep Australians safe in an increasingly complex threat environment”.

But so far, we haven’t seen much in the way of specific measures. And she’s not anticipating anything changing as Treasurer Josh Frydenberg hands down the 2021 budget next week.

We’re getting “lots of words”, Jayne says.

“Where are the measurable deliverables and outcomes?

“As we prepare for the 2021-22 budget, I fear there will be a copy and paste from last year with a few more words to create a mirage of progress.”

What Jayne would like to see is more of a focus on cybersecurity upskilling for the general public, and programs tailored to raising awareness.

A government-backed national cyber awareness campaign, for example, would be “a delightful surprise”, she says.

She points to research from Stanford university, which found that some 88% of all data breaches are caused by human error.

It’s obvious to her that this is where cybersecurity spending should be focused.

“If 88% of all data breaches are caused by human error, shouldn’t 88% of the cybersecurity budget be allocated to upskilling the humans?”

The government does have schemes in place focused on upskilling small business owners.

Just this week we saw $6.9 million in grant funding awarded under the government’s Cyber Security Business Connect and Protect Program, backing projects that help small businesses identify and address security risks.

Grants of between $189,000 and $750,000 were dished out to 14 organisations, with a leaning towards those supporting regional business.

For Jones, initiatives like this “provide some much-needed beginnings”. But they only benefit a small segment of the small business ecosystem.

“While $6.9 million to support the likes of the caravan and camping industry will be appreciated by those that benefit, we strongly encourage the government to consider investing more than 0.01% of their budget towards this rapidly growing problem impacting 97% of Australian businesses,” she adds.