The COVID-19 crisis has widened the cybersecurity gap between large businesses and SMEs, with smaller firms increasingly vulnerable to attacks, a new report has found.
The report by the Cyber Security Cooperative Research Centre looked at the implications of mass remote working due to the COVID-19 pandemic through interviews with leaders across 20 organisations, including national banks, research institutes and tech conglomerates.
It found that while larger firms are able to spend on cyber to ensure there is adequate security for its systems while its team is working from home, smaller firms and startups are lagging behind and more vulnerable to potential attacks.
“We found the impact of COVID-19 could contribute to a widening disparity in the cybersecurity capabilities of large well-funded organisations that already invested in cybersecurity programs and those that are less mature, especially SMEs,” the report found.
“Many SMEs have lagged in upgrading their cybersecurity systems during the pandemic, a trend that could continue in a post-COVID world. Assessing the ability to continue operations and the types of work employees could accomplish at home took precedence over cybersecurity concerns.
“This is problematic, as research indicates home internet users generally have poor cyber hygiene, lack the knowledge to protect their digital technologies and personal information, and present a weak link that cyber criminals can exploit.”
Labor has pointed to the report as evidence the federal government is “missing in action” on cybersecurity, with its updated strategy still yet to be released, nearly a year after consultations began.
The Cybersecurity CRC report found that large businesses have been able to accelerate investment in cybersecurity controls and practices in the wake of COVID, but smaller firms have taken a “more ad hoc cybersecurity posture” mainly due to the costs associated with taking action.
“Small businesses and startups were less likely to be able to bear the costs of implementing best-practice cybersecurity. This means the impact of COVID-19 could lead to greater discrepancies in cybersecurity posture between Australian organisations,” it said.
“Given cost prohibitions, there should be a focus on developing cost-effective, easily maintained cyber solutions to help protect Australian SMEs now and into the future.”
The report said that government intervention is needed in the space to help mitigate cyber threats, provide information and support to companies and to assist with implementing the ASD’s Essential Eight baseline cyber controls.
But cybersecurity has fallen off the Coalition’s agenda, shadow assistant minister for cybersecurity Tim Watts said.
“As [the] CRC report highlights, Australian small businesses have been confronted by a wave of new cybersecurity threats during the COVID-19 pandemic as employees adjust to working from home and cyber criminals seek to exploit health and economic fears to trick their targets. But once again, cybersecurity policy has fallen to the bottom of Peter Dutton’s to-do list,” Mr Watts said.
The government is expected to release a new cybersecurity strategy this year, but is yet to confirm when this will be rolled out. The Department of Home Affairs began consultations on the strategy 11 months ago, and the previous 2016 strategy “reached the end of its four year life more than a month ago”, Mr Watts said.
“The Morrison government is still missing in action. The new report found that small businesses were often compromising basic cyber hygiene measures as they have sought to enable staff to work from home during the COVID-19 pandemic. These vulnerabilities then create risks for the other organisations they interact with,” he said.
He also said the government is yet to release an Australian Cyber Security Centre small business survey conducted nearly a year ago, which could help to understand the cyber posturing of SMEs.
“That’s nearly a year of inaction on small business cybersecurity policy development,” Mr Watts said.