There is an ever-increasing need for cyber security to be moved up the agenda for organisations. As entire workforces moved online during the peak COVID-19 restrictions, so too did cyber threats increase.

The damage these types of threats can have on organisations is increasing. At the start of this year alone, we’ve seen the largest fuel pipeline in the US shut down when hackers accessed the network through a password to an inactive account which led to the payment of $4.4 million in ransom.

Closer to home, the Nine network was unable to air, or produce news in what the organisation billed as a “sophisticated and calculated attack”, at the same time the Australian Parliament was also attacked rendering many staff members unable to use emails or devices for many hours.

While these high-profile attacks may give a sense of security that smaller businesses won’t be targeted by this type of behaviour, this is very much a false sense of security. More often now would-be large-scale attackers are using smaller organisations to reach the systems of larger organisations.

What is cyber security?

Cyber security is protecting your digital assets from people who shouldn’t be accessing it.

Some of the main types cybersecurity include:

  • Application security
  • Information security
  • Infrastructure security
  • Network security
  • User education

Malicious acts

Malicious acts against an organisations cyber architecture can take a number of different forms.

Distributed denial of service (DDoS)
These attacks target website and online services by overwhelming them with large amounts of traffic to make the website crash.

In the beginning, ransomware encrypted data and locked victims out of their systems until the ransom was paid.

This type of attack now commonly includes the victim’s data being copied and the threat to release it publicly unless the ransom is paid.

These types of attacks often rely on social engineering techniques, such as phishing, to trick users into giving them access to the system.

One of the most common attacks techniques, and often one of the most successful, it also uses social engineering techniques to either gain access, or mislead someone into clicking bad links, downloading malware attachments, or handing over sensitive information.

Short for malicious software, it’s intended to cause damage to systems, steal data, gain access to data and networks and essentially cause major headaches for organisations.

Essentially digital junk mail and a popular way to spread viruses onto computers.

Guarding against cyber security threats

Prevention isn’t the end step in good cyber security.

As a standard, organisations should ensure that they are patching their networks and educating their staff on phishing and developing a healthy level of scepticism. Ideally though, they should be employing a network detection and response software program, something that looks for malware in the system and prevents it from leaving the actual device.

The next important step to ensure that there are appropriately skilled people monitoring the outputs of the security system. There is no point in spending money on these software programs if no one is then interpreting, and reporting on, its findings.

Organisations need systems that are highly connected to allow for efficient operations.

These highly connected networks mean that the rate of infection is greatly raised. The speed at which an infection or attack can access the entire network is often underestimated.

Businesses need to ensure that threats are identified appropriately. Even if they have enlisted the services of a managed security operations centre there is a need to check the level of service they are getting from this service.

Not all 24/7 services are created equal. Once they have confirmed the appropriate level of detection, businesses need to have a plan for how to respond to these threats.

Responding to a cyber security attack

Cyber threat response is a whole of business activity.

Once an attack happens, businesses need to respond quickly, and they shouldn’t be trying to work out how to respond in the heat of the moment. The response function should be similar to how a business prepares for fire drills. They need to know who within the organisation will be required to respond and this often involves more than just the IT team or cyber security team – responding to a cyber threat is a whole of business requirement.

A cyber attack on an organisation, especially a smaller business, could be devastating for that business. Not only will they have to deal with the logistics of protecting or losing data, there is also often reputational damage that has been done.

Consumer confidence in the organisations ability to protect their data might be lost, additionally any downtime needed to recover from a cyber incident can give your competitors an easy window to exploit to take business away.

While there are many things every small to medium enterprise can do to protect yourself from a cyber attack, it should be remembered that it does not also mean spending enormous sums of money on the latest technologies or locking down your environment to a point where it’s difficult to do business.

There are no hard and fast rules for what every organisation should have in place for cyber security, instead pragmatism must prevail. A balancing act must be struck between what risks you are willing to tolerate versus what investments you are willing to make. This balance is unique to each organisation and is an important first step that everyone should take to really understanding the cyber solutions that will be right for them.

KPMG Cyber Solutions for your business

KPMG's Cyber Solutions offering is designed to help private, mid-market and family businesses outpace cyber threats and protect their most important assets.

Find out more

Contact KPMG's cyber security team

Contact us below, or subscribe for updates.

Cyber security services & insights

Find out more about KPMG's cyber security services, as well as insights and thought leadership.