Australian Small Business and Family Enterprise Ombudsman Bruce Billson interview with Tim Webster.
ABC Radio Sydney
Subjects: ransomware attacks on small business, cyber security tips for small business, insolvency concerns, business continuity planning, changes to privacy laws, energising enterprise, Carly Simon, Warren Beattie, Mick Jagger and James Taylor
Tim Webster
Australian businesses are paying untold amounts of ransom to hackers, but neither the government or the public actually knows how much. That's interesting. The Cyber Security Act, which is yet to be unveiled, would force Australian businesses and government entities to disclose the payments or face fines expected to be brought before the parliament at the next sitting. So, how will small business deal with all of that? The Australian Small Business and Family Enterprise Ombudsman is Bruce Billson. He joins us from time to time and we love talking to him. G’day.
Bruce Billson
Great to be with you Tim. And I haven't heard that Carly Simon version either. Everyone remembers that Coming Around Again that was in that Heartburn movie, and, of course, You're so Vain. I mean, that doesn't apply to anyone in this conversation, but that was a big hit.
Tim Webster
Certainly not. 1973 You’re so Vain. Well, the conjecture about who it was about, and I think she eventually said it was a conglomerate. Warren Beatty, Mick Jagger, of all the men she’s known.
Bruce Billson
Warren suffered from being a particularly handsome rooster. Who knows. But that’s not what's on our mind though. The pressures on small business.
Tim Webster
The Cyber Security Act. Now, that's an interesting piece of information. Untold amounts to hackers, but neither the government or the public knows how much. I imagine that's because business doesn't want them to know.
Bruce Billson
Yeah, it's a tricky one because most of the expert advice is don't pay for the ransomware to be released so you can get your data back. But, clearly, in some cases, businesses are making a commercial decision that rather than have the whole capability and their ability to engage in trade and vital data, there are reports that some actually pay the ransomware and then hope that the nefarious figures that are involved in cyber hacking then do the right thing and release their data.
It’s a bit of a contested space, but the expert advice is, overwhelmingly, don't pay the ransomware. But then the same experts are saying for us to be best placed to combat that kind of thing, we need to know what's going on. And therefore, you know, the information perhaps around who's doing the ransomware attack and what you may be asked to pay is something that's really important to those trying to defend us in this cyber security threatening world.
Tim Webster
I know it's a threatening world, but tell me, do you think it's fair to fine people for non-disclosure, whether its 15 grand or whatever it might be, because they’ve already been ‘got’, haven’t they?
Bruce Billson
I don't think it's fair for small business to face what could be a fine that, if it was applied to them, would cripple their business. At a time when small business people are so time-poor and margins are really squeezed, and we know nearly half aren’t profitable right now. If you're hit with a ransomware threat or challenge, I reckon you'd be pretty focused on trying to get your business up and going again. And one of the things that we're finding in this complicated, quite sophisticated regulatory environment, you might not even know to whom it is you need to report this breach, but you inadvertently break the law, and then you're faced with another crippling impact on your business.
We've been urging government to have, almost like an A-Team, that can get alongside small and family businesses that have a cyber event. Have them navigate that process, help them make sure they've got appropriate safeguards, but also help them recover on the other side.
I'd hate to see anything that discourage people reaching out for that help if they feared getting pinged with a fine. So, maybe if it's a bigger organisation Tim, and they've got, you know, technical experts and they know all the organisational structure that happens in this space. Maybe a more punitive response is arguable. A time-poor resource-stretched small business, I’m not so sure about that.
Tim Webster
We were, as you would know, a victim of that CrowdStrike. And it was incredibly dramatic here when you've got a studio full of blue screens. So, it's happening to everybody. Maybe more help from the government rather than hindrance from the government on cyber security?
Bruce Billson
That’s our view. Look, there's some encouraging signs there. In the last budget there was an announcement to set up a small business cyber resource hub. I'm optimistic about that. That's what we've been urging that the government does, so that there's a real sense that government is an ally for small business when getting through these terrible events. Not one where they’re fearful of raising these challenges and therefore not getting the help they want and they need, and then having that really impacting on that businesses opportunity to recover, to get its data back, get systems going and and focus on delighting customers. Not that there's some fine around the corner they might get spanked with.
Tim Webster
My texter – don't forget to put your name on the text so I could acknowledge who you are - but he or she basically says, more regulation and red tape on small business owners like myself. It's none of anyone's business what I pay and to who.
Bruce Billson
I think if you had this support posture, one of assistance rather than of compliance, you get small businesses saying, oh, hang on, this is a change in our economy. I really need to be tooled up and as well-equipped as I can be. And to have the resources of government there to assist in making sure you've got appropriate safeguards, good preventative steps. Good, dare I say data hygiene. Sorry for the jargon, Tim. That'd be great. Then if something happened, somebody can get alongside you to work out what you need to do to get through that event. And then some help on the other side getting back up and going.
I think that posture, so much better, so much more likely to get the right outcome that policymakers are hoping for, rather than having this big fine hanging over a small business for whom, if they pinged, they might not have even known they needed to take those steps and then that fine itself could bring them down as badly as perhaps the cyber threat did.
Tim Webster
Everyone's got so much to do, Bruce. Oh, you got pinged and you feel really guilty. But don't because there's so much of it around. I mean everyone's after your information, your money, every day of the week. I mean the amount of text you get, emails you get. You've going to be so vigilant these days.
And look, Jamie says this. Good point. Don't know why you'd pay the ransom. Couldn't the hackers just copy the information they'd hacked and release it anyway?
Bruce Billson
I'm kind of with Jamie. And I’m not discounting for one minute that a commercial decision is often what's guiding this. But I tell you what, if someone was nefarious enough to have a crack and compromised my system in the first place, if I handed over a substantial chunk of change in the hope that they then do the right thing. That's the thing that I'm wary about with paying ransomware. I would have imagined having good backups, you know, multi-factor authentication to sort of limit what's going on. For your listeners that are in business and maybe use digital platforms, and have a credit card attached to say their Meta Marketplace account, if that gets hacked, do what I do. I use a very low amount credit card for my online transactions. Thinking, you know, if someone does grab that data and has a crack at my credit card, if I can't go back to the people that should have guarded against that in the first place, I at least have kept the credit limit very low. And therefore, the harm to me is minimised.
So, for your listeners and businesses and even consumers that are dealing with those online transactions and having credit cards linked to the advertising spend on digital platforms, have a separate credit card with a really low credit limit on it and minimise that risk. Make sure you've got control over that account. If they've taken the account out and blocked you, make sure there's another way of verifying that you’re who you are. And if all else fails and you’re a small business, get on to us and we'll help out.
Tim Webster
Is that Cyber Security Act a fait accompli? Is that going to happen, or can you convince them to not do it?
Bruce Billson
It's still going through the Parliament, so there's plenty of opportunity for some of your texters and others that have raised some good views, to feed those in because it's really about right-sizing it Tim. You and I've talked about that before, but a small business isn't some shrink wrapped major corporation that's got, you know, technical expertise coming out of their ears. That's not right. It's mum and dad and committed enterprising men and women often doing compliance things 10 o’clock at night to try and make sure that the business of running the business is attended to while they also focus on what the future looks like for their business, how can they delight customers and maybe, you know, innovate to get better value for themselves and the people that rely on the business.
Tim Webster
Alright, let's leave that one. There's a few issues to deal with. A 50% increase in queries by small business about a business they're dealing with, possibly being insolvent or a concern about what to do if they're worried about their own place.
Bruce Billson
There's a couple of things happening here. What we are seeing is that really significant uptick in concerns. We're also seeing people checking on what are called credit reference platforms, where they check to see whether the business they are dealing with has some, let's use the word form of not always paying their bills and the like.
But also we're getting an increase in payment disputes even when work is carried out under the contract or the terms that were agreed. Just getting paid Tim, just getting paid is really a pain point. And when the cash flow is tight and when you see the Tax Office are up and about trying to make sure that people with outstanding tax liabilities are engaging with them. When margins are being squeezed, one of the things you see sometimes there’s this friction in just getting paid and the payment time blowing out. It's a real concern.
So, what we're saying to business is if you've got those concerns there are ways you can check, for small fee you can check on the credit record of those businesses. That doesn't mean don't do business with them. But if you and I were running an electrical business and at a subdivision out in western Sydney, in a growth suburb like that, we've got to spend a bit of money buying all the equipment, the substations. So, we're out of pocket already. And then there's our time and expertise. So not being paid, not only us not being rewarded for our work and our diligence, we're also carrying the costs of the equipment we've had to buy. And therefore, you might say to that that developer I want half that project cost as a down payment before I start, so that I can at least cover the costs of those outgoings for equipment. And when the job's done, I'll come and get the rest.
So, you might change your terms, the way in which you engage. But just making an informed decision about those things where we are seeing an uptick in these payment difficulties, we recommend that as part of your approach to your business.
Tim Webster
Louise from Inverell. Louise says, I've got a small limit on my credit card. I used to make jokes that I should keep it maxed out for safety's sake.
Bruce Billson
She raises an interesting point. It is about managing that risk. I mean, sadly, the experience that you've had in the studio and some of these cyber events, I don't think they're the exception. We're likely to see more of that. It’s almost a new normal where there's such a dependency on technology and digital systems in our economy and our lives. Just taking those steps to safeguard, to prevent a bad event happening, and then to limit not only the risk of it, but the cost of it, they’re the things that that we're urging people to do.
Tim Webster
Now, let's allay the fears of Elyse at Mascot. This discussion about small business and security, making me feel very uncertain about transacting digitally with small business. Unfortunately, it steers me to dealing with larger organisations that are better resourced to protect my data.
Now, just on the back of that text. Also, a text about - look, sometimes on the ABC you have to mention a commercial entity just to make a point – I've been asked about PayPal. I don't, but my wife does, and she's never had any issues with that. So, both texts are sort of going, oh, gee, what do I do?
Bruce Billson
There's some really good points in there. And frankly, those messages are reflecting the sentiment in the business community. There is a heightened anxiety and awareness of these things, but there are steps that you can take within your own control. I mentioned multi-factor authentication. Changing your passwords, trying not to have Timisfab12345 as your password is probably not ideal.
Even the software, you get a notification that there's an update for the software. Tim and listeners, often those updates have safeguards or patches to guard against weaknesses or vulnerabilities in the software. Back up your files. I was involved in building a bank to take on the big banks and we used to have a system, and I know it's at a larger scale, but we used to have a system that backed up almost continuously. So, if one of what frankly was thousands of attacks on our site every week, if one of those worked, we could just go back to the moment and all the data before it was compromised and boot it up again from there. So those backups become really important.
PayID, where you verify who the payer is. One of the things in small business that is a real cyber threat are what's called the invoice substitution scam. So, they’ll sneak into your accounting and invoicing system and you won't even know it. They’ll mess with a PDF, a saved file, and put someone else's banking numbers in there. So it all looks legit. You're expecting this invoice. You pay it on the basis of what's in it. All looks legit. And some nefarious character’s gone and changed the banking details so it whisks that payment off to another account. And before you know it, they've converted it to crypto and you can't track it down. So, ways around that is to verify who you are sending money to, to use things like PayID and those secured systems.
The other one is to consider eInvoicing, which is a much tighter, less vulnerable way of sending invoicing. So, there’s steps that you can take. But needing to be situationally aware is really important.
Tim Webster
Jamie opened a second account and transferred my money to that. So, on the credit card, he's got nothing. And this one from Chris. SMEs and large enterprises should open a business continuity plan for ransomware, including incremental offsite backups. It's critical. And then their own servers would help. That’s Chris. It’s clever.
Bruce Billson
Chris is legendary. I hope he doesn't think we've planted that in there. Chris is absolutely right. We found only about one in four have an up-to-date business continuity plan. And that's where you contemplate things that might knock your business off-course and then think about and plan for and have the bits and tools in place to recover and to make considered choices at that time.
That business continuity plan, it could and should address a cyber-attack. And it'll talk about backups and knowing who your providers are and where you've stored data and key contacts to help you get up and going again.
But it might be dealing with a natural disaster. It might be dealing with a health episode. If you and I were the breadwinners of our partnership Tim and one of us got sick, that's going to bump us off track as much as a cyber-attack.
So, Chris is right on the money there. Think about what might happen that could take you off the course you want to be on and what are you going to do about it. And that's a really great contribution from Chris. Top tip of the day.
Tim Webster
Good on you Chris, thank you. Jenny says you can buy a credit card at one of the big supermarkets for various amounts. You can buy it on the internet and that’s not using your own savings. Lot of this is very clever, Bruce.
Bruce Billson
And really practical too. Jenny's again, right on the money. She's talking about practical steps well within your ability to take them, that actually mitigates against the risk of something bad happening. And then if something bad does happen, you’ve really cauterised the cost and consequences of it. They’re fantastic ideas and I hope your listeners are getting something out of this discussion.
Tim Webster
They obviously are. And thank you very much Chris and Jenny.
Now, before the news rushes up at me. The government's looking at removing the exemption that allows small businesses to not, to not comply with privacy laws. How does business feel about that?
Bruce Billson
Not thrilled, but it's very linked to our earlier discussion. So, under the privacy laws, there's a dozen or so privacy principles that big businesses need to read, absorb, interpret and then apply to their workplace and their enterprise about how they're going to manage data that might be vulnerable or might compromise a person's identity and those sorts of things.
So, you can understand where they're coming from. For many years there's been an exemption for small business, with the exception of sort of health professionals and those sorts of things. There's been a review saying, look, the whole world has changed. We just had a great discussion about it. And so much of our day-to-day life sees businesses having data that's really important to us.
Now is that data is risky to your identity or your economic interest, there's got to be certain duties to make sure you take really good care of it or, in some cases, advice to get rid of data you don't need so that you remove that risk. What the government's talking about is simply removing the exemption so that a small business has got to do all the hoop jumping the big businesses do this.
We’re saying, hang on a minute. Again, a time-poor, resource-constrained small business. Let's get in with some really straightforward, easily implementable action steps that achieve that objective and have good data management that's of advantage to the business as well, not just a compliance obligation. And maybe open up new opportunities to link cyber security safeguards, good data management. It’s a more complicated world to be running a business. But let's not make it needlessly super, super, super complicated where the risk and responsibilities just are completely out of whack.
Tim Webster
Bruce, I'm very glad I'm just a humble old broadcaster. The things small business have to deal with. It's quite amazing, isn't it? Really?
Bruce Billson
We've been tracking this and saying to anyone who will listen, the risks and responsibilities of business ownership continue to grow, but the rewards aren’t growing with them.
We need to really think about that risk-reward balance and make sure being an enterprising man and woman is attractive, it's fun, it creates wealth and opportunity for those business-minded people and those employees that they make possible. And it brings such a vitality to our communities where you might not have a big corporate go to regional and rural New South Wales.
What do you think's driving these regional economies and towns? It's small and family businesses, and we need to make sure we celebrate that and look for ways to energise enterprise so there's more of it and better prospects of success into the future.
Tim Webster
And just while I’ve got 30 seconds, a texter says to both of us. Mick Jagger did backup vocals on You’re so Vain so it couldn't have been him. I think that's right. However, why couldn't it have been him?
Bruce Billson
My mail tells me it was Warren Beatty and let’s remember there was a time when Carly Simon and James Taylor had a thing. That didn't end well. It used to be Her Town Too. There’s a song for you.
Tim Webster
I think she said in an interview it was a conglomerate, so let's go with that. Thanks for your time.
Bruce Billson
Take care and best wishes to you and your listeners.
Tim Webster
And he does join us quite regularly, it’s great. Our Small Business and Family Enterprise Ombudsman Bruce Billson.