Cyber security is a disaster waiting to happen for small businesses and they need practical advice to stay out of trouble, said the chair of the Council of Small Business Organisations of Australia.
“How much of a problem is it for small business? It’s absolutely there,” said Matthew Addison, who is also executive director of the Institute of Certified Bookkeepers. “It’s not a problem until you get hit. And then when once you’ve got hit …”
Mr Addison said awareness of the issue was high, but it was easy for a small business to overlook the dangers until it was too late.
“From a small business angle, each small business person, it’s a real stretch of their thinking. I can either go and make sales, or I can worry about cybersecurity,” Mr Addison said.
Speaking on the latest Accountants Daily podcast, Mr Addison cited the example of one ICB member who experienced months of disruption after a security breach.
“It actually didn’t cost them any dollars but because they’d been hacked, their emails had been hacked. They had to totally reconfigure and advise all their clients, and advise the regulators they deal with,” Mr Addison said.
“You and I both hear about the small business that still clicks on the link that they thought was legit. They still take the phone call that feels like it’s from the tax office.
“So it’s real, then the question is, how do we prevent it becoming a real issue for small business?”
The recent budget allocated $9.9 billion over 10 years for cyber security with much of the money directed to high-level defence programs to protect Australia as a whole.
Mr Addison welcomed the initiative, but said small business was crying out for nuts-and-bolts advice.
“I think we’re all aware, but we don’t know what it means or, more to the point, we don’t know what to do about it. I’m looking for that: how-tos,” Mr Addison said.
“So what we need is a series of solutions by the intermediaries, those advisers that already help small business, empower them to put cyber security techniques in place.
“How do I protect my email? How do I protect my website? How do I protect my bank accounts? The how-to solutions is what I’m hoping some of that budget initiative will go towards.
“What’s the how-to? What does it mean to be at a cyber risk? Or what do I have to do to actually be in a cyber security environment?”
Mr Addison said e-invoicing was recent advance that went hand in hand with cyber security, and he urged small businesses to adopt the system.
“This is a better use of a secure digital channel for my business to send your business an invoice – not just a PDF, not just an email that could be intercepted and could have the bank account details changed – it’s a secure digital channel,” Mr Addison said.
“From my natural business accounting software I push the ‘send this by e-invoicing’. You, as the receiver of that invoice, has also got to subscribe into the e-invoicing system, be a receiver of the invoices, and it comes to you as data.
“That data is received straight into your accounting system. You see it in your inbox and you approve it as a valid invoice.
“It’s a better world.”
He said although the ATO was a strong advocate of the system, it had no visibility of e-invoicing transactions.
Despite its advantages, he said universal adoption of e-invoicing was still some way off.
“I don’t think it’s a quick journey. It’s a hard one to demand or make compulsory,” Mr Addison said.
And while the system could streamline invoicing to a point, he was an advocate of human sign-offs before payment.
“A human needs to approve that invoice, approve it’s the right amount, and there’s got to be a conscious decision to pay it,” he said.
“So I really struggle with those that talk about, ‘Oh, this is flow-through automation, the bill will just come in and get paid straight away.’
“Well hang on, somebody’s got to be in control of what gets paid.”