High-profile ransomware attacks in Australia are a reminder that cleaning and hygiene companies need a cybersecurity plan to protect their businesses and people.
For cleaning company executives, it would be easy to dismiss the recent ransomware attacks on Medibank and Optus as an irrelevance for them.
After all, why would cyber criminals worry about relatively small businesses when they can go after the big fish?
Such complacency is highly risky, according to Monica Schlesinger, a cybersecurity governance expert and CEO of the Australian Health and Science Institute.
She notes the extensive use of subcontracting in the cleaning sector means smaller players are often called in to assist bigger companies.
“This three-person business is doing the cleaning services for some high-security companies and they’re suddenly the gatekeeper,” she says.
“They open the door to that business, whether they open the door with a physical key, a swipe card, or with a phone that is not secure and can be hacked.”
Such a scenario can leave businesses of all sizes exposed to cybersecurity risks and potential class actions if a ransomware incident occurs.
“Putting your head in the sand doesn’t work anymore,” Schlesinger says. “An attack can affect not only your company but your clients’ networks as well.”
High price to pay
The Australian Cyber Security Centre estimates that cybercrime costs Australia about $42 billion a year, with the government agency receiving more than 76,000 cybercrime reports in 2021-22, an increase of almost 13 per cent from the previous financial year.
The average cost per cybercrime is $39,000 for small businesses, $88,000 for medium businesses, and more than $62,000 for large businesses.
Ben Howden, Asia-Pacific director of growth at workforce management solutions business TEAM Software, says the Medibank and Optus cyber-attacks highlight the critical importance of investment into IT and cybersecurity within the cleaning industry to protect against possible financial and reputational losses.
“Given the profile and scale of these cyber-attacks, businesses, employees, and consumers now have a heightened awareness of how their data is being handled by third parties,” he says.
Howden says given the notable increase in cyber-attacks in Australia during the past 12 months, cleaning companies should consider taking the following steps to reduce risks:
- engage a professional cybersecurity provider to conduct a security review of your business
- ensure staff are trained in IT security to minimise the risk of a security breach
- consider hiring someone with experience to manage IT security
- conduct a review of your IT and software providers to ensure they are following security and data best practices
- ensure your business has a defined disaster-recovery plan in the event of a cyber-attack or data breach.
Directors and boards on notice
Regardless of the size of the cleaning operation, Schlesinger says directors have a duty of care that includes understanding and acting on cybersecurity risks, while also appreciating that attacks can impact them personally.
“It takes vision, time and knowledge,” she says.
Crucially, Schlesinger says cyber threats are much more than an IT risk and require multiple lines of defence – incorporating staff training; HR policies that protect the business and its data; and robust finance and risk-management strategies.
To that end, cybersecurity should be on the agenda at every meeting, with CEOs, directors and IT experts driving the knowledge and education that helps ensure the long-term sustainability of the company.
Although they may not have the IT or management resources of bigger entities, Schlesinger she says a good starting point for smaller companies seeking to understand their cyber-risk responsibilities is to access sources such as the ASX Corporate Governance Principles and Recommendations; the Corporations Act – Sections 180–183; the Privacy Act; General Data Protection Regulation (GDPR) in Europe; and the Australian Institute of Company Directors’ Cybersecurity Governance Principles.
Howden says cleaning companies drive the majority of their revenue from supplying labour and, therefore, typically employ large workforces. As a result, they store a large amount of personally identifiable information (PII) employee data across a number of different internal and external systems.
“PII data is particularly sensitive as it can be used on its own, or with other information to identify, contact or locate a single person, or to identify an individual in context,” Howden says.
“This type of data is attractive to cyber criminals as they can use it to hold businesses to ransom, or drive income from selling the data, or attacking individuals.”
He says the nature and volume of this data puts cleaning companies in a position of increased risk, noting that it was only recently that employees at both public and private sector organisations had their data compromised during a ransomware attack on a popular timekeeping and payroll solution that is used by several large facilities management and cleaning companies.
Get appropriate insurance
The primary lesson to be learned from the recent spike in cyber-attacks is that education is the key, regardless of the size of the business, according to Jane Mason, head of product, Channels & Risk at insurance service provider BizCover.
She notes that both the Optus and Medibank attacks largely came down to human error. Optus left an application programming interface (API) – which is essentially a gateway to information – open online, allowing hackers to access sensitive customer data.
The Medibank attack, which released the sensitive medical records of thousands of people, occurred simply because one single desk support worker did not have multi-factor identification.
In addition to ensuring that qualified IT professionals install and manage best-practice cybersecurity systems such as encryption, firewall and antivirus software, Mason says businesses should take out a cyber insurance policy to protect against the financial consequences of an attack.
For any risk, Mason says business owners in the cleaning industry need to ask themselves, ‘could I stay afloat by myself if this risk were to happen?’
“If the answer is ‘no’, then you might want to consider if there is an insurance product that can protect you from that risk.”
She adds that a business is at risk of cybercrime if it uses PoS devices, emails or has online systems (it does not need to be a website) to manage business, or if it handles important data that could be compromised (that could either be personal data related to your customers, or even your IP).
“Many small businesses are also at risk of phishing, where a fraudulent request is sent via email to charge a bank account. This is a very real scenario that can happen to nearly any business owner, regardless of the industry.”
Mason says a cyber liability policy can protect a business from the financial consequences of an attack.
“Not only might businesses need to deal with the cost of recovering the data and investigating the attack, but they may need to account for business-interruption costs and the expense of bolstering cyber defences. Then there might be the cost of dealing with the reputational damage cybercrime can cause, as well as the potential fines and legal costs associated with the attack. If you don’t think your cleaning business can handle these situations, then you may want to consider getting cyber liability insurance on top of your current insurance.”
Mason says there are two typical errors that small business owners make when taking out cyber insurance. First, some may think that they do not need to worry about cybersecurity as much because they are covered by cyber insurance.
“But cybersecurity and cyber insurance are both critical parts of a cyber risk plan that serve different functions.
“Cybersecurity helps prevent cybercrime from occurring and reduces the likelihood and impact of an attack. Cyber insurance protects your business from the consequences if an attack occurs.”
Second, some small businesses may think they can just set-and-forget cyber insurance, but if their risk changes their insurance may not cover the situation.
“If the business is operating with new online systems or equipment since the last time they renewed their policy, it may need a review to cover the new risks.”
This first appeared in the March/April issue of INCLEAN magazine.
Visit www.cyber.gov.au/ for more information on how businesses can better manage cyber security.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at info@incleanmag.com.au
Sign up to INCLEAN’s newsletter.
