You don’t need to reach for an over-priced report from a Big Four consultancy to understand that cyber-related supply chain risk resides predominantly among Australia’s small and medium sized businesses.
This is a reality, if only because of the nation’s disproportionately large numbers of SMBs compared to similar advanced economies. Some 97 per cent of companies in Australia are classified as small and medium-sized businesses.
The growing complexity of cyberthreats across the globe and the rampant problem of ransomware have focused government attention on supply chain issues and finding ways to “harden” the SMB component of those supply chains.
Mimecast country manager for ANZ Nick Lennon says the scale of the problem in Australia is at a point beyond where we need a simple awareness campaign to respond to the issue.
Mimecast, which is a global email security and cyber resilience specialist, has encouraged government to broaden its thinking about strategies for bolstering SMB cyber capability.
The company has made a series of recommendations through its submission to the Department of Home Affairs consultation on Strengthening Australia’s cyber security regulations and incentives, including backing the notion of a cyber health check system that specifically targets Australian small and medium sized businesses.
Nick Lennon says the Medicare system of universal healthcare provides the corollary – if not an actual model – for delivering better access to quality cyber services to SMBs that would provide a base-level safety net for individual companies while also improving economy-wide cyber resilience.
The model, which would need to be delivered through the interaction of the tech industry, the education sector and government, has the potential to unlock significant economic value that may not be immediately obvious, Mr Lennon said.
Universal healthcare through the original Medibank system, and its subsequent evolution into Medicare, delivered huge economic benefit over decades, including contributing significantly to an uplift in workforce participation.
“We can use that [example] as a basic universal right to get access to cyber protection and allow them to focus on where they can create IP, create income for their employees, and let the business owners be impactful and successful,” Mr Lennon said.
“We see an opportunity here for government to really think differently about how we unlock cyber protection for SMBs.
“Where we see that is through the obvious interaction that exists between industry, education and government in creating the services that SMBs can access,” he said.
“The upside is that this fixes supply chain issues and provides a tremendous uplift for resilience across the economy, and helps to solve the other big problem we’ve got in relation to the cyber skills shortage.”
Government was already starting to think in new ways about cyber issues and SMBs, Mr Lennon said. This was most clearly evident in the way it had extended critical infrastructure protection measures to include SMBs involved as suppliers to critical infrastructure services.
“It is really a matter of how we think about this kind of basic [cyber] protection as a safety blanket for the community, and for the economy … that this actually creates an opportunity, rather than just being seen as a cost,” Mr Lennon said.
The cost of introducing base-level cyber protection for SMBs would not have to be entirely borne by the public purse, he said, and delivery would be through the education sector and industry. But government would need to lead the initiative and drive uptake.
Eventually, he said cyber audits will become commonplace and more transparent, so that customers and stakeholders can get a better understanding of the “trust” an organisation should be given. It is not different from when financial audits were introduced, so that potential customers and partners are better able to assess risk.
“In the same way that financial audits are made public through a listed company – which creates a level of trust for an investor to put money into that organisation – cybersecurity will play the same role in demonstrating how mature the company you’re dealing with is,” Mr Lennon told InnovationAus.com.
“There is no doubt at all that in the future you will be audited on your cybersecurity standards in the same way that we’re audited from a financial point of view today.
“And that rating will be powerful, because it turns cybersecurity into an ‘enabler of business’ rather than just a cost-centre, and that’s where I think the opportunity exists,” he said.
“It creates trust, and this is how people decide where they put their data, where they put their personal information, their medical records, and their cash. This is a huge opportunity in the digital economy – and you have to find a way to allow SMBs to really participate.”
“Because how do you get the level of cyber protection that you require as an SMB to deal with a nation-state [bad actor]? That’s like taking a knife to a gun battle. It is a huge issue for the economy and it is an area where government can really help.
“We need policymakers to think differently.”
This article was produced in partnership with Mimecast. Nick Lennon is a member of the InnovationAus Leadership Council.
Do you know more? Contact James Riley via Email.