BDO and AusCERT seek for gov’t counsel to avoid another pink batts

Leon Fouche, Partner and National Cyber Security Leader at BDO

BDO and AusCERT say the gov’ts tech investment boost is a good first step to heighten the resilience of businesses. However, there is a need for guidance to avoid another ‘pink batts’ fiasco. The issue of questionable ‘pop-up’ providers is a reality, say the industry experts.

As part of the 2022–23 Budget, the Australian Gov’t announced it will support SMBs via the Small Business Technology Investment Boost and Small Business Skills and Training Boost.

What does the gov’t incentive mean to SMBs?

SMBs with annual turnover of less than $50m will be able to deduct 120% of eligible training and assets, like cyber security systems or subscriptions to cloud-based services, in their 2022–23 tax return. AusCERT and BDO called for guidance to be provided for SME’s looking to take advantage of the gov’t incentives to mitigate the chance of inadequate governance.

“AusCERT recognises the significance of the latest federal gov’t announcement and hope the promise will be matched equally by delivery,” said AusCERT Director David Stockdale.

“While it is easy for a gov’t in the runup to an election to make promises, the benefit is in recognising the needs of SME’s and training them to lift their cyber security posture.”

“This is a huge task, and with additional pressures on the already stretched Australian Cyber Security Centre to be actively involved with additional critical infrastructure requirements amongst other things, it will fall to the private sector to fill the gap. Helping SMEs to understand the threats and implement proportional controls is critical, and is no easy task.”

“Risk management and cybercrime awareness aren’t the core business of most SMEs, and history has shown that even large corporates fall victim if inadequate governance is in place over contractors such as managed Cyber Security Operations Centres,” noted David.

“Training needs to address these gaps – let’s hope we do not see providers pedalling a “silver bullet” course and we find ourselves looking back to see another ‘pink batts’ fiasco.”

Where is the flaw in the gov’ts good intentions?

The latest BDO and AusCERT Cyber Security Survey found incidents requiring data recovery efforts rose by 160% from 2020, suggesting that attacks are becoming more destructive and laser focused. BDO Partner and National Cyber Security Leader Leon Fouche said, “The technology investment boost is a great first step to heighten the resilience of businesses.”

“However, the gov’t announcements to help drive training creates a ripe environment for ineffective training and providers to pop up.” The BDO and AusCERT survey found that 2021 saw a staggering 175% increase for data breaches caused by accidental emails.

Incidents such as ‘CC’ing’ instead of ‘BCC’ing’, indicating that staff security awareness training may not be as robust as needed in the wake of remote working arrangements.

“With the increase in working remotely there is growing awareness of the need for training. Our report showed that 1 in 4 firms have invested in cyber awareness training,” said Leon.

“Yet most firms don’t have a CSO, or specialist security contractor on speed dial to keep up with the changing landscape of cyber threats, so the gov’t will need to be able to provide SME’s with a starting point and ongoing support to really help these incentives be impactful.”

How else can the federal gov’t help the SMBs?

The BDO and AusCERT Cyber Security Survey found that 60% of firms use cyber threat intelligence. Those not learning about new cyber threats are lagging behind their peers.

The survey identified several steps business can take to significantly lessen cyber incidents, including onboarding Security Operations Centres, implementing Cyber Awareness Training, undertaking Supply Chain Risk Assessments, and creating Cyber Incident Response Plans.

“No doubt the incentives by the gov’t will drive SMEs signing on to training. Whether this means a business’s first training course for their staff or upskilling those who have some awareness training. What is key is guidance on how business can best invest so their efforts are most effective, including avoiding investment in poor training or assets,” said Leon.

BDO forensic expert Stan Gallo said, “Rather than just handing money to the SME owners and leaving them to it, an alternative approach might be to first guide them to where they can discuss the possibilities and get advice on tech investment. There is more to digital evolution than a website or a cloud subscription and throwing money at SME business.”

Stan noted that the Technology Investment Boost will be a great opportunity to enhance cybersecurity, but hardly revolutionary. “The Technology Investment Boost is terrific for innovative tech driven start-ups and entrepreneurial business, but mature SME’s looking to grow still need to understand the basics of how technology can enhance their business.”

“In addition to standard backend operations, many people that have laboured over the years and built up a successful business, particularly in non tech driven areas, need assistance to understand technology investment and how it can add value to their business operations.”

“There is an increased risk the money will be spent on standard IT support and lacklustre training provided by questionable ‘pop-up’ providers,” cautioned Stan.

“The types of threats we are seeing continue to evolve in line with current events and technologies, but at their core, there remain many similarities. Phishing, ransomware encryption, business email compromise and data theft are still ever present,” noted Stan.

“However, there has been some insidious countermovement.”

“For example, on the back of a trend of heightened preparedness and recoverability, thereby denying ransom payments, the ‘standard’ ransomware attack is linked to an initial data theft to provide two bites at the cherry. If the victim is not going to pay the ransom – then maybe, they will pay to get their confidential data back. There are no guarantees either way.”