key: cord-0255767-ppr3e3fv
authors: Tam, Tracy; Rao, Asha; Hall, Joanne
title: The Good, The Bad and The Missing: A Narrative Review of Cyber-security Implications for Australian Small Businesses
date: 2021-09-02
journal: nan
DOI: 10.1016/j.cose.2021.102385
sha: f0e392ae69ff235a7b5469573eb1233541a98132
doc_id: 255767
cord_uid: ppr3e3fv

Small businesses (0-19 employees) are becoming attractive targets for cyber-criminals, but struggle to implement cyber-security measures that large businesses routinely deploy. There is an urgent need for effective and suitable cyber-security solutions for small businesses as they employ a significant proportion of the workforce. In this paper, we consider the small business cyber-security challenges not currently addressed by research or products, contextualised via an Australian lens. We also highlight some unique characteristics of small businesses conducive to cyber-security actions. Small business cyber-security discussions to date have been narrow in focus and lack re-usability beyond specific circumstances. Our study uses global evidence from industry, government and research communities across multiple disciplines. We explore the technical and non-technical factors negatively impacting a small business' ability to safeguard itself, such as resource constraints, organisational process maturity, and legal structures. Our research shows that some small business characteristics, such as agility, large cohort size, and piecemeal IT architecture, could allow for increased cyber-security. We conclude that there is a gap in current research in small business cyber-security. In addition, legal and policy work are needed to help small businesses become cyber-resilient.

cyber-security. We look in detail at the characteristics of Australian small businesses that may be impeding their cyber-security posture. We find that certain characteristics could help small businesses better secure themselves.

The definition we use here, of 0-19 employees, covers a significant proportion of business communities around the world. In 2015, around 29 million US firms employed 0-19 employees [29, 30] , while in 2019, in the UK over 98% of private sector businesses employed 0-49 people [31] . Thus, this research has relevance to small businesses from other countries with similar societal profiles to Australia [32, 33] , since human owners run small businesses [34, 35] .

This paper is structured as follows: In the next section we examine the background to business cyber-security and the Australian small business context. Section 3 looks at existing review articles and compares them to our study. Section 4 discusses the difficulties in research and data collection for small business cyber-security. Section 5 looks at the constraints faced by small businesses in implementing cyber-security, while section 6 highlights potential opportunities that unique small business characteristics present with respect to cyber-security. We end with a conclusion and suggestions for future work.

Small business cyber-security has some commonalities with large business cyber-security. The traditional aim of cyber-security is to protect business IT infrastructure, and the information essential for the business' day to day operations. However evidence has since emerged that the benefit of business cyber-security extends beyond this, to its people, processes and assets.

The cyber-security industry is currently worth over US$100 billion globally [36] . While cyber-security previously focused on maintaining the confidentiality, integrity and availability [37] of information systems and data, current best practice includes non-technical aspects such as the people using the information (security culture) [38, 39] . A one-size-fits-all cyber-security solution does not exist [40, 41, 42] . Large businesses have adopted a variety of measures to secure their information and IT assets [43] against cyber-security threats.

The benefits of securing a business extends beyond protecting the assets owned directly by the business. The disruptions to individuals from data breaches such as Equifax [44] and Ticketmaster [45] highlight the societal cost. The financial cost of an incident can severely disrupt the personal lives of small business owners, putting livelihoods in jeopardy [46] . The high level of codependency between people, technologies and processes has resulted in modern security standards/frameworks including "processes, organisational structures, policies and procedures, information flows, culture and behaviors, skills and infrastructure" [47, P.13 ].

In Australia, over 40% of private sector employment is from micro (0-4 employees) and small (5-19 employees) businesses [4] . The Australian Bureau of Statistics (ABS) defines a small business as one with 0-19 employees [48] . In 2016, 42% of Australian small businesses believed limiting online presence protected their business [28] . In the 2018/19 financial year, only 40.3% of small businesses received orders via the Internet 1 [49] .

Technology avoidance is no longer a feasible strategy for managing cybersecurity risks. Online sales are becoming more attractive, influenced by market forces and official bodies [50] with the social distancing requirements of COVID-19 only hastening this [1, 51] .

With nearly half of Australian small businesses allocating less than AU$500 annually to cyber-security [9] , they cannot afford cyber-security expertise. Without external help, small businesses cannot secure themselves, and not just in times of emergency [52] .

There is considerable literature, both academic and industry, on small and medium business (or SME) cyber-security. Here we identify the literature examining cyber-security challenges.

A keyword search was conducted within 5 academic search engines, namely Scopus, ProQuest, Science Direct, SpringerLink and IEEE Xplore. The key-words used were kept broad to maximise the number of results returned and constructed from the core concepts of "small business", "cyber-security" and "literature review". These are listed below:

1. Small business -"small business", "small enterprise" or "SME".

2. Cyber security -Various spellings of "cyber-security", "IT security" or "information security".

3. Literature review -"review" or "survey" with "literature"

The keyword pertaining to "literature review" (3) was replaced with a search filter of review articles where this option was offered by the database. Where possible, the search was limited to title, abstract and keywords. To ensure relevance to today's context, the search was restricted to publications dated on or after 2016. No filtering was done based on journal or conference ranking.

Due to the general nature of the keywords, the initial searches returned a total of 2759 papers. Each of these papers was examined to determine whether the primary focus was small business (or SME) cyber-security. Most importantly, we looked for papers that exclusively discussed their cybersecurity topic in a small business/SME context, rather than treating the cohort as a sub-discussion. Based on this criteria 22 papers were shortlisted. A detailed examination of these papers gave us one very relevant review paper [20] , and three partially relevant papers [21, 53, 26] . Table 1 compares the aims of our paper to the selected review papers, based on the following contexts:

A Restricts context to small business.

B Critical examines landscape of existing small business cyber-security research.

C Examines potential technical issues with small business use of cybersecurity solutions.

D Examines potential human issues for small business.

E Identifies structural opportunities for small businesses. Table 1 , the shortlisted reviews do not distinguish small business as a separate cohort, despite the large proportion of small businesses present in global economies. Small business is often grouped together with medium businesses in the wider cyber-security context. In this article, we examine the problems arising from such grouping.

Alahmari and Duncan [20] provide an overview of existing research on cyber-security risk management within the SME cohort. They identify lack of skills/knowledge, lack of appropriate management behaviours and sub-par defence as common themes, but do not explore how such situations arise. In this paper, we trace these symptoms back to possible contributing factors, which could enable better security solutions.

Heidt et al. [21] point out that differences between SME and their larger cousins potentially contributes to difficulties in generalising cyber-security re-sults to SMEs. They find that data is often obtained from non-representative enterprises (e.g. larger or industry specific groups). We re-examine the sampling issue within the industry context and find this trend extends beyond academia to industry and government. Given the lack of industry standard terminologies, we discuss how both cyber-security self-reporting and lack of agreed definitions are contributing to confusion.

As demonstrated by Suryotrisongko & Musashi [53] , there are a wide variety of topic areas and technologies within the study of cyber-security. Reviews that focus on specific topics [24, 23, 25, 26] provide little room for exploration of alternative solutions, e.g. a technical problem solved via a process. In this paper, we explore cross field opportunities in the context of small business cyber-security.

In conclusion, there are no broad-based reviews exploring small business organisational characteristics that can impact their cyber-security posture, both negatively and positively. We address these gaps in this paper.

Given the importance of micro/small business in global economies, there is limited research into the cyber-security posture of, and corresponding solutions for small businesses in the 0-19 employee range. While there is much research in large enterprise cyber-security from various countries, the transferability of this research to small business is problematic.

Each developed country is at a different stage in the small business cybersecurity research journey. In the USA, CISA (Cyber-security and Infrastructure Security Agency) conducted an online survey in 2019, on providing assistance with cyber-security issues, to small businesses [54] , but results are still awaited. In Europe, Eurostat breaks down enterprise size across multiple variables in its most recent 2020 ICT Security in Enterprise security report [55] . Businesses with 0-9 employees are excluded from the above Eurostat report, highlighting the research data gap within the small business cohort. This lack of inclusion also occurs in the Australian Bureau of Statistics' business characteristics surveys [48] . These surveys ask IT and cyber-security questions, but explicitly exclude non-employers/sole traders from the respondent pool.

The cyber-security surveys conducted in Australia include:

• The Australian Bureau of Statistics (ABS) annual business character-istics survey asks detailed IT usage and cyber incident questions [48] .

• The NSW small business commissioner CyberAware survey studied SME cyber-security [28] in 2017, in collaboration with various small business related commissions around Australia.

• The Australian Cyber Security Centre's (ACSC) online survey in 2019, looked at the usage of IT, security incidents and knowledge [9] .

Each of the above surveys has its own focus, producing results within its own scope. Some of these scopes overlap. Some results appear to contradict others. For example, in answer to whether small businesses have encountered a breach/attack/cyber-crime, the percentage of people that answered in the affirmative varied based on the survey (Table 2) . The discrepancies are not necessarily due to deliberate actions or errors. They appear to be a symptom of the difficulty in reaching and obtaining comparable data from the disparate and technically inexperienced cohort that is small business.

Discrepancies in the survey results also extend past national borders. In the Hiscox report [8] , the average business cyber-security spend in European countries for organisations with 9 or less employees was US$7,000. In contrast, the ACSC survey [9] found close to half of Australian small businesses spent less than AU$500 annually on cyber-security. This order of magnitude difference in expenditure from seemingly similar socio-economic cohorts requires further analysis. While there is speculation [56] that complexity within the cyber-security field accounts for the disparity in results, it is possible these are due to challenges in getting accurate data from small businesses.

The inability to gather data from diverse small businesses is a significant barrier to cyber-security research [16, 57, 58, 59, 22] . Consistently low response rates to broad-based voluntary surveys highlight the difficulty in obtaining a comprehensive sample. This is exacerbated by a lack of public domain data, especially where mandatory breach reporting regulations are immature. There is dis-incentive to self-reporting due to fear of reputational damage [60] , given the low possibility of prosecution [61, Fig 6.7] .

This difficulty in reaching the small business cohort could result in convenience sampling, which is known to introduce its own set of limitations and challenges [62, 63] . The impact and bias arising from such sampling must be accounted for and discussed in research findings.

Numerous industry cyber-security reports address the gap in business cybersecurity [43, 64, 8, 2, 65] . However, there are few standard definitions, structures and classifications within cyber-security. Data and findings are often adhoc, incomplete and focused on headline worthy items. For example, Symantec reports [2] that globally, in 2018, small and medium businesses were more likely to be hit with "Formjacking". Formjacking is Symantec's term for "use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of e-commerce sites" [2] . Formjacking is a subset of code injection attacks [66] , where code is injected for various purposes, and not just on e-commerce sites. The use of specialised terms such as "formjacking" makes comparisons between different reports difficult.

The differing definitions of small buisness worldwide makes data comparison difficult, see Table 3 . Each research entity adopts the local small business convention or presents a brand new definition [58] . This disparity across the globe changes the context of findings. Clearly, an organisation managing 200 employees operates and communicates very differently to one with less than 10 employees [71, 72, 73] . Given the significant influence communication and human factors have on attacks such as phishing, email fraud, etc, size matters in any cyber-security discussion.

Few researchers acknowledge the potential complexity of the large range of small business sizes. The Ponemon Institute's data breach report [64] extrapolates small business data breach costs from incident costs for businesses employing 500-1000. This cost figure is discussed as the cost for "smaller organisations". The bundling of small businesses with larger (in size) cohorts hampers the ability to action the lessons learnt.

Self-reporting of data is another problem. The accuracy of self-reported cyber-incidents by small business owners needs examining. Non-technical persons find it difficult to report subtle cyber attacks. In addition, there are psychological self-reporting biases [74, 75] . Thus, self-reported breaches can only be a starting point data set for analysis.

Self-reporting surveys require business owners to be aware of cyber breaches. Common detectable symptoms of an incident, from a non-technical user's perspective, are unavailability of computer systems or data. For example, ransomware renders a computer unusable. Many attacks have no obvious symptoms. Active monitoring is required for subtle attacks such as data exfiltration, man in the middle, spyware etc. System owners may not be aware of a breach for months or even years [64, 76, 60] . While large enterprises can detect subtle attacks using active traffic monitoring systems, few small businesses can afford this monitoring [9] . The under-detection can be exacerbated by the lack of technical knowledge among small business owners (see section 5.2).

In Australia, the Privacy Act, the main legislation governing data, does not apply to organisations with less than AU$3 million annual turnover [13] , i.e. most Australian small businesses. As such there are no legislative repercussions or financial incentives to report any breaches or cyber-incidents. Embarrassment in victims of online fraud [77] is another powerful reason for Australian small businesses not reporting incidents.

Symantec [2] avoids this self-reporting gap by using known threat detection software installed within an end user's computer. Eliminating human interaction increases accuracy by recording incident details automatically. However, the proprietary nature of this software and reporting results in only Symantec customers and devices being included. This leads to a bias towards people willing (and able) to pay for Symantec's services. Detailed analysis and strategy design requires a more comprehensive small business sector view.

In conclusion, alternative data collection strategies are needed to supplement existing self-reporting surveys.

The under-representation of non-technical respondents in online surveys deserves scrutiny. Studies targeting technically savvy businesses often reach very different conclusions to those including a broader range.

Cyber-security research relies heavily on online surveys due to logistical ease, and the assumption potential respondents use the internet for business purposes. In contrast, less than 40% of Australian small and micro-businesses used the internet for business development or monitoring market information in the 2017-18 financial year [48].

Self-selection bias is enhanced by a particular group's comfort level to a survey method. More respondents are likely to complete surveys that use familiar technology [78] . Cyber-security studies tracking industry breakdowns show IT/technical industry respondents are over-represented [8, 28, 22] .

Challenges exist around demographic representation in samples with online surveys as the sole method of data collection. "Younger, male, avid Internet users, and those with greater technological sophistication" [79] are more likely to complete online surveys compared to surveys done via traditional mail. In contrast, in 2016, over half of small business owners in Australia were over 45 [80] .

A survey with more technically literate respondents can introduce significant biases in results. Studies with input from technical experts [17, 81, 82] identified different concerns compared to general small business owners [83, 84, 85, 86] . A series of interviews from a single study [87] shows that small scale IT users have constraints in security decision making that are not expected by technical security providers. Australian small businesses in information, media and telecommunication, and professional, scientific and technical services categories made up less than 14% of all businesses, by business count, in 2019 [88] .

In summary, the majority of small business owners in Australia cannot be assumed to intuitively understand the technical fundamentals central to cyber-security. Exclusively sourcing data from voluntary online surveys favours respondents comfortable with technology. Results from surveys must account for and reconcile any gaps between sample respondents versus small business profiles, from both demographic and technology literacy perspectives.

Large enterprises have been amongst the earliest adopters of cyber-security technologies. Current business cyber-security solutions favour these businesses in terms of scale, cost and usage.

Today's cyber-security lessons and conventions are a result of early largescale incidents e.g. NotPetya, Equifax, Wikileaks etc affecting mostly large organisations. With new threats constantly emerging, large enterprises are ideal customers for vendors, with a higher likelihood of return on investment. Consequently cyber-security industry best practices, standards and products are heavily influenced by the needs of larger organisations.

Small business cyber-security cannot be "cut and paste" from large scale solutions. Resource availability, technical landscape and operational processes of small business need careful consideration. Small businesses face some common challenges that need to be accounted for in cyber-security strategies since cyber-criminals are looking for smaller targets [2, 89, 90] .

The technical landscape of a small business can potentially be very different to that of a large enterprise [22] , making it impractical to apply solutions for the larger enterprises to smaller scale users. The small business IT technical landscape ("architecture") in which the cyber-security solution must function is a barrier to adopting a solution.

Current industry practice tests changes in an environment separate from customer-facing sites and systems to ensure the changes do not impact IT system availability for live customers. A test or staging environment is a copy that mirrors the customer-facing ("live") business system in hardware, software and configuration. Testing in a separate environment is recommended by many application providers before software upgrade processes [91, 92] . This testing ensures unintended consequences of changes/tests do not affect the business' live systems, keeping them "safe" and operational. A test environment can be used to conduct destructive testing such as disaster recovery scenarios.

Cyber-security solutions designed to test a response to debilitating events require a safe testing environment. For example, denial of service (DoS) simulation tools [93, 94] simulate a service overwhelmed with requests resulting in legitimate requests not getting through. A DoS simulator, if implemented on a live system, would render the business IT infrastructure, e.g. website, unavailable to customers, or worse, jeopardise overall system integrity. Live environments cannot be used for stress-inducing tests. Consequently, businesses without a test environment will never be able to test the full suite of catastrophic scenarios as part of their incident response training.

A test environment requires substantial technical knowledge, time and ongoing maintenance. Australian and New Zealand small and medium enterprises spend only 6% of their total revenue [58] on IT. For 2016, the median Australian small business had an average turnover of AU$125,000 [80] , translating to an annual IT spend of about AU$7,500. This budget covers all IT spend, including hardware, software, network services, IT personnel and other incidentals, making a test environment just one of many competing priorities. While cloud technologies have reduced costs associated with test environments, the technical knowledge required is still substantial. Less than a quarter of Australian small businesses have in-house, qualified IT support personnel (with roughly a third using contractors/consultants as needed) [48] . There is no mention of small business testing environments for off-line testing in the literature.

The small business move towards cloud infrastructure and services makes large enterprise cyber-security solutions unsuitable. Over a third of micro businesses and half of small businesses used cloud based services in 2018 [48] . This demand is expected to increase [95] and accelerated due to the COVID19 pandemic [96] . While official statistics on cloud services adoption during the pandemic are still pending, anecdotally the uptake of third party IT services in general has increased substantially [97] , many of which are enabled through the cloud [98] . This move away from private, or on premise, infrastructure (i.e. IT equipment set up and owned by the business) is driven by the associated set-up and maintenance costs [95] , a proposition especially attractive for resource constrained smaller businesses.

Cloud infrastructure presents challenges for traditional cyber-security products. For example, general network scanning [99] assumes the infrastructure is local and/or reachable for scanning purposes, an assumption valid only for private infrastructure. The increasing suite of cloud-based network perimeter scanning services [100, 101, 102] require explicit input from users on the target devices to be scanned. Targeted device scanning is a subset of a complete network scanning solution and cannot discover private assets (e.g. printers) with external interfaces left accidentally unsecured. This potential gap could be addressed by other technical or process remedies, and needs further exam-ination by individual businesses -a task requiring technical knowledge and resources that many small businesses do not have.

Scanning in the cloud is a challenge for shared computing resources. Any customer sharing the same target computing resource will be affected if the targeted application is overwhelmed. Cloud infrastructure providers impose strict conditions on security-related testing activities [103, 104] , with the notable exception being Google Cloud [105] .

Nearly 90% [48] of small business cloud users utilise software in the cloud. Many application providers explicitly prohibit activities interfering with their service, preventing customers from pro-actively discovering any vulnerability in their service provider. Indemnity and liability around use of an outsourced function needs clarification [106, 107] .

It is necessary to address when testing and monitoring of privately owned devices is permissible. Mixed-use personal and company-owned assets, e.g. mobile devices, are common amongst small businesses [108, 85, 22] . Mobile device management (MDM) software [109, 110] allows businesses to monitor data and software residing on and transiting through devices. MDM can freeze certain functions and/or data, and, if needed, reset the entire device. Many large enterprises routinely deploy MDM on devices issued to staff. The level of access that MDM requires raises questions of the extent of non-work information shared with work IT administrators [111] when a device is not a work exclusive device.

To address the privacy concerns of MDM, mobile application management (MAM) offers a subset of the functions of MDM [112, 113] . MAM functions require business trade-offs and must be paired with mitigating policies based on the sensitivity of business data. This requires expert guidance and is at odds with other revenue generating priorities for a small business.

Clearly, re-using cyber-security solutions designed for large scale infrastructures is not a feasible strategy for small businesses. More appropriate cyber-security products are needed for small business given their mix of stand alone and shared IT resources. The liability arising from small business' use of cloud service needs clarification.

Small business cyber-security human resources are very different to those of large enterprises. A qualified and accountable IT department is common in large enterprises but not in small businesses.

In a European & US survey [84] less than 30% of small businesses, and less than 5% of micro businesses, indicated existence of a security administrator or any formal IT security qualifications. Approximately 10-25% of Australian micro and small businesses have no IT support at all [48] .

In Australia, most small business support comes from external contractor/consultants, suppliers of software/hardware or non-IT qualified staff [48] . External contractors are engaged for specific tasks. They do not undertake cyber-security risk assessments unless contracted specifically. Suppliers only support supplied software and/or hardware, unless an extra support contract has been purchased. Small businesses' constrained resources and the low number of devices used imply support contracts are unlikely.

Cyber-security requires risk analysis and mitigation of the entire IT system, not just individual components. The small IT budgets of small businesses do not cover the salary of an IT administrator [114] .

Furthermore, small business owners are at a knowledge disadvantage in advocating for their cyber-security needs. In the start-up phase of a small business, owner-managers have to perform any functions that they cannot afford financially, or haven't had the time, to outsource or hire. As discussed previously, given small business' small IT budget, these include being the IT support person, and by extension the cyber-security person. Some tasks, such as cleaning, physical security etc. can conceivably be done by a person with limited experience. A cyber-security assessment cannot be done effectively by a novice.

The age demographic of Australian small business owners indicates less exposure to technology. Nearly 60% of Australian small business owners were born before 1971 [80] -well before publicly available Internet [115] . This technical skills gap is reflected in OECD testing [116] with less than 40% of Australian adults scoring within levels 2 or 3 (out of maximum 3 levels) of OECD's computer problem-solving skills scale. This percentage falls to 17.2% within the 55-65 age group.

The timing of technology introduction places Australian business owners at a disadvantage when dealing with cyber-security. Assistance must be designed taking into account this lack of experience and cater to non-technical small business owners. However, training in a receptive format is well received by small businesses [117] . In section 6.1 we discuss the advantages inherent in this demographic.

Cyber-security requires ongoing effort in education, process and investment and is effected by the IT maturity of organisations. In Australia, approximately a third of small businesses operating in June 2015 did not survive to June 2019 [88] . The small business sector constantly has new entrants. Small businesses in early inception and survival stages do not focus on processes [118] . In these early phases, owners/managers usually have direct oversight of business tasks with formal processes coming in as the business matures and expands. This is at odds with a well-rounded cyber defence posture [119] requiring business policies and controls. This lack of clarity on process details (for example on IT fix times and specific responsibilities around patching) leaves the organisation exposed to opportunistic cyber-criminals.

Research on small business behaviour in the early stages of business is required. Any cyber-security solutions or policies for small business must consider that the business' focus may not be on the management of cybersecurity processes and rules.

The bewildering variety and complexity of industry standards is a challenge that small business owners face. Some examples of cyber-security standards and frameworks include:

• NIST [120] • COBIT [121] • ISO27001 [122] • Australian Government Information Security Manual [123] When used by a technical stakeholder such as a Chief Information Officer, these guidelines and standards fit any business wishing to protect itself from cyber attackers. The base assumption of many standards is a technically literate person being available to guide the business through analysis and implementation. Few small businesses can justify such a resource especially in the initial phase of setting up the business. Simplified versions of the above standards are available [124] , for example, the Australian Signals Directorate's (ASD) Essential 8 [125] and the small business cyber-security guide [126] . However, the range of available summarised resources vary in depth and format. More importantly, these resources have limited comparability between each other or existing security standards. It is unclear how a small business' cyber-security work fits in with other advice and standards once one list is completed.

The complex relationships between the different standards leaves nontechnical small business owners with a very low sense of self-efficacy, or sense of control. The relationship between self-efficacy and action is a wellestablished driver of human behaviour [127] . In addition, low self-efficacy in cyber-security could be a factor in an owner rationalising inaction [128] .

Industry bodies have recognised the difficulties faced by small businesses. ISACA, the governing body for COBIT, indicates small and medium enterprises will be catered for as part of their COBIT 2019 standards [129] . Unfortunately, to date, this focus area is still under review and not available.

Until cyber-security standards recognise small business' constraints, small business will find it hard to contextualise cyber-security within their own business, or implement the necessary controls.

Cyber insurance is a challenge for smaller businesses. Traditionally, insurance policies are used to protect a business against disruption or loss, ranging from natural disasters to theft. Business cyber insurance is a relatively new phenomenon, with many variations offered by different providers.

Various providers in Australia offer cyber insurance to their small business customers [130] . Each insurer appears to require slightly different levels of due diligence from the small business, while each policy provides coverage based on disparate internal standards and policies [131, 132, 133] . Further study and research is needed to provide clarity to small businesses around standards applied across insurers.

Cyber insurance coverage has been called into question. One highly publicised debate [134, 135] surrounds the insurance exemption for "act of war" or "terrorism". In most politically stable countries, a clause to exclude coverage of catastrophic events, e.g. war/terrorism is employed to manage underwriting exposure [135] . Most insurance policy takers usually accept an act of war in a developed country to be a remote, acceptable business risk.

The effectiveness of such cyber insurance came under scrutiny when Mondelez submitted a claim on suffering US$700 million in damage from NotPetya malware in 2017 [134] . Zurich Insurance denied the claim, citing the attack as an act of terrorism, as NotPetya was designed to cause maximum damage as opposed to financial gain. The situation was further exacerbated when the US government attributed NotPetya to Russian origins. The ongoing conflict between Russia and Ukraine further strengthened the terrorism case as Mondelez had infrastructure in Ukraine. The decision by Zurich continues to be challenged in court by Mondelez, and other insured companies. The issue of terrorism is so contentious that Lloyd's of London [136] explicitly excludes terrorism related scenarios in its cyber insurance cost analysis.

"It is difficult to attribute a cyber-attack to a particular group or actor" [136, P.17]. The difficulty stems partly from code from one malware author being reused by another. When malware code is examined forensically, it may contain artefacts of authors other than the criminal. For example, the Not-Petya malware contains code stolen from the US National Security Agency (NSA) [137] . Thus the malware contains signatures indicative of US origin, despite the attack being attributed to Russia. Accurate attack attribution is out of reach of the average organisation, especially small business. This lack of attribution makes it difficult to prove an insurance claim as non-terrorism.

Small businesses and personal computers are often collateral damage of large scale cyber-attacks. The NotPetya malware wiped clean 10% of all computers in Ukraine [134] , along with many other international companies (including bouncing back into a company in Russia itself [137] ). Many small businesses were highly likely to have been caught up in this fallout. Numerous Australian SME and large corporations were impacted by the 2016 Petya attack [28] , from which the NotPetya malware is derived.

In addition to the Mondolez owned Cadbury factory in Hobart, NotPetya affected companies with an Australian presence such as DLA Piper, Maersk, TNT etc [138, 139] . Unfortunately, following the Australian government's attribution of NotPetya to Russia, and NotPetya's classsification as malware [140] , any Australian businesses' with an act of terrorism insurance exception would reasonably find themselves not covered by their cyber insurance policy.

The battles still being fought through the international judicial system indicate that cyber insurance is not mature enough for Australian small businesses to use effectively. For cyber insurance to be a risk mitigation tool for small business, significant industry, regulatory and assistance efforts are needed to clarify and provide adequate coverage to small businesses in case of a breach.

Despite the act of breaking into computers being covered under various legislations in different countries [61] , cyber-criminals continue to operate with impunity. One reason for this perceived lack of consequences is the legal complexity of investigating and prosecuting cyber-crimes.

Criminal and remediation processes are complicated when the pepetrators are under a different legal jurisdiction to the victims and properties and hence, subject to different legal processes and laws. The ease with which attacks can be launched over the internet makes cross-jurisdictional cybercrime possible for criminals with minimal resources. Over half the countries responding to a 2013 United Nation's (UN) survey described a transnational element in the majority of the cyber-crimes reported [61, P.117] .

This cross jurisdictional complication is discussed in the 2014 Australian government [141] study on online fraud. The negative impact of transnational barriers on investigations and judicial outcomes for victims continues today [46] . Jurisdictional complications possibly contribute to the overall low conviction rate (10%) of police recorded cyber-crimes [61, P.172]. However, international co-operation in fighting cyber-crime is beneficial [142] in overcoming structural barriers to prosecuting international cyber-crime.

The low conviction rate is exacerbated by the low rate of reporting. Most cyber-crimes are not likely to be reported [61, P.119] . In Australia, the top 3 reasons [77] for non-reporting of online fraud include embarrassment, belief police cannot find offender and uncertainty of right reporting authority. Given these factors, the overall redress that actually occurs is even smaller.

Even in the remote event a cyber-crime results in a conviction, the loss of confidentiality of data is a major issue. Once a receiver has stolen data, this knowledge/data cannot be removed from the receiver. Even where data can be located, the ease with which copies can be made and distributed makes containment difficult. One such example is the classified data taken from the United States National Security Agency (NSA) by an insider [143] . Despite investigations and knowledge of the locations of the document caches, information from this breach is still available on the Internet [144] .

Outside of legislative penalties, there is little incentive for Australian small businesses to report cyber-crime. With low remediation rates and investigative difficulties, reporting to authorities is replaced by the priority of recovering from the cyber-incident. Without dedicated legal personnel to follow up and navigate the complex systems involved, legal remediation remains out of reach of most small businesses.

Substantial work is still needed on the cyber-crime legal framework to convince small businesses that it is effective in delivering remediation when needed.

The gap in knowledge of the cost of inaction makes investing in cyber-security a difficult decision for small businesses. A small business needs to weigh up each investment decision against perceived benefits/loss. Existing data breach costing studies around the globe have primarily focused on larger businesses [43, 60, 64] .

Small businesses (1-49 employees) suffer an average loss of US$14,000 per year per firm [8] across the US and some European countries. Despite a low small business sample size, a US Government report [60] speculates the impact/cost of a breach on small business is possibly more devastating than for a large business due to the loss of customers. There is no data available for Australian businesses in the 0-19 employee range. In a survey by ACSC [9] , about half of small business owners predicted it would take a few days to recover from a hypothetical cyber attack.

Until relevant cyber-breach cost data is available, it will be hard to persuade small business owners to invest in managing cyber-security risks [3] . Scientific and industry research is needed to examine ways of determining actual costs to small businesses from cyber breaches, similar to larger enterprises [60, 64] .

The small business cohort has advantages over larger enterprises, despite the many challenges they face. With the right assistance, a small business can become a less attractive target to cyber-criminals.

Two advantages for small businesses over their larger counterparts are their flexibility and willingness to learn. The COVID-19 pandemic showcased the agility with which small businesses adapted to fluid situations [145, 146, 147, 148, 149] . Small business owners possess qualities allowing them to react with agility [150, 151] .

The older demographic of small business owners comes with advantages. Creative and critical thinking related digital skills actually improve faster within older age groups with this improvement attributed to everyday handson experience of working with technology [152] .

Flexibility, willingness to learn and creative thinking are important cybersecurity skills [153, 154, 155] . However small business owners, dominated by older but adventurous learners [156, 34] , still struggle with cyber-security [86, 128] . Creative thinking skills cannot be used effectively when the basic information needed to create solutions is unavailable in an accessible format. Unlike conventional IT knowledge, e.g. productivity software and mass-market hardware, cyber-security knowledge is still highly technical and inaccessible to the public. In Australia, small business owners are largely offered adhoc cyber-security workshops and resources via disparate small business training and communication channels, e.g. [124, 157, 158] . With research showing that cyber-security needs to be a gradual, ongoing and persuasive effort [159, 160] , alternative formats and continuous approaches to small business cyber-security training need to be examined.

A targeted capacity building curriculum, encompassing both prevention and response, can be used to take advantage of small businesses' agility. Building practical coping skills appeals to creative problem solvers like small business owners, without relying on formal processes [151] . A good starting point would be cyber-security advice for small businesses focusing on prevention, e.g. password policies, spotting phishing etc. This advice should extend to other aspects of a cyber-incident's lifecycle such as incident response, record keeping, technical recovery strategies etc.

Victim assistance facilities (as part of incident response) like IDCare [161] , ACSC Report [162] , Scamwatch [163] etc do exist in Australia but public awareness is not ubiquitous [77] . Increased education around crime reporting processes and forensic practices will improve response to breaches by small business owners.

Further research is needed to enable cyber-security education to take advantage of small business owners' agility. Solutions need to be tailored to [117] , and take advantage of, the unique abilities of small business owners.

An alliance between small business owners would enable data collection and advanced intelligence sharing, as well as peer support. This real time knowledge of trending threats and attack methods would help small businesses to be vigilant to emerging threats.

International large enterprises [164, 165] have formed cyber-security alliances allowing members to gain advanced intelligence and work collaboratively, and forming a cyber-security feedback loop. In Australia, alliances between industry, government and research such as AusCERT [166] and ACSC Partners [167] exist. Unfortunately these alliances target organisations with dedicated cyber-security IT personnel/budgets. For small businesses such an alliance would provide easily accessible intelligence and affordable skills. [168] .

A cyber-security alliance of small business owners could allow law enforcement, legislators and technical support companies to respond rapidly to emerging threats. Each small business could contribute cyber-security incidents and intelligence into a central database providing cyber-security peer support to each other. Education and awareness act as extensions of such an alliance, leading to it becoming a trusted authority on small business cyber-security.

Technical and administrative facilitators are needed to overcome existing communication barriers between small businesses and facilitate such an alliance. The exact facilitation and support needed to start and maintain such a new alliance needs to be researched and clarified.

Suitable security models differ due to the scale of organisations. The low requirement for IT homogeneity makes zero trust security models [169] a prime framework for small business. Small businesses have limited large scale technical legacy to undo and their scattered IT operations suit a zero trust model.

The traditional network perimeter safeguards an IT eco-system that is relatively obstacle-free internally, leading to the analogy of a hard shell enclosing a chewy centre [170] . The problem of an attacker having free reign once a perimeter is bypassed has been demonstrated in large scale breaches [44, 171] .

Google [172] , as well as other stakeholders [173] , have recognised the futility of safeguarding an ever changing network perimeter [174, 175] , and have adopted zero trust principles in their services in their BeyondCorp design. The zero trust security model [176] is a network model for defence that presumes an attacker has gained access inside the hardened perimeter. In a zero trust model, access control is no longer performed at the network surrounding the IT systems, but focused on authentication and authorisation of user access to individual services.

Small businesses have difficulty with perimeter defence as they don't own many of the IT services used. In many ways, the zero trust architecture is one small businesses have been managing for many years. Zero trust allows focus on individual service protection, thus limiting impacts even if an individual service gets breached.

However, small businesses need assistance with implementing a zero trust model. Each new device needs arduous processes of set-up for multiple services rather than one perimeter [177] . Abstracting security into a layer/functional component [178] allows standardisation and re-use across multiple businesses. This creates an opportunity for a reusable design/platform that small businesses can implement in their unique IT environments.

Currently there are very few products and little research in this context. Despite implementation within large international companies such as Google and Akamai, zero trust has yet to see significant momentum within the Australian business landscape. Development of zero trust IT ecosystems for small business could bring high returns due the large number of end users.

Open source software & hardware (OSSH) is developed and (usually) released for free by a community of software makers and hardware designers. OSSH is an option used by IT professionals when paid IT products, including cybersecurity products, do not meet technical or cost requirements. In embracing OSSH, Australian small businesses would be following in the footsteps of Australian government authorities. Various Australian government departments have encouraged use of OSS software as well as making software open source in general [179, 180, 181, 182] . However, a lack of technical expertise has hampered small business' ability to take advantage of free OSSH security solutions [183, 184, 185] .

The ethos of open contribution by volunteers results in OSSH products being released under broad licenses (e.g. GNU general public use [186] , creative commons license [187] etc.) that permit most uses. In some cases, this includes commercial use with nothing more than attribution. OSSH has produced popular projects such as the MySQL database, Fedora Linux operating system, Arduino microcontroller etc which enable the development of commercial products. A variety of free OSSH cyber-security tools are now available [188] . However, characterising OSSH as free or low cost ignores the overall cost of ownership beyond initial financial outlay for supporting equipment and setup effort [189] . Both the Equifax breach [44] and industry standards like ITIL [190] have demonstrated the critical role played by post-implementation operational support in securing an IT environment.

To enable ongoing maintenance, enterprise versions of OSSH are sold by third party vendors including items such as on-going support, updates, certifications etc. For example, RedHat Enterprise Linux is based on OSSH Fedora Linux [191] and offers the support options that Fedora does not. In larger businesses, where enterprise level OSSH products may not exist, inhouse support is enabled by internal staff with dedicated responsibilities. A lack of technical expertise and financial resources in a small business is an impediment to the use of OSSH.

OSSH presents an opportunity for technical security solutions for small business owners. OSSH provides many benefits for small businesses including:

• On-going reviews minimising security vulnerabilities from human error [192] .

• Reducing vendor lock-in [189] .

• Being part of the software community with a stake as users in the software development [193] .

• Encouraging good cyber-security hygiene habits by enabling adoption in the early stages of the business lifecycle.

Australian small businesses could leverage the expertise of developers active in open source development. They could participate in local open source communities like PyCon [194] and Linux Australia [195] to make their business needs met and their voices heard. Building bridges between the OSSH and small business communities could provide value for both.

Given the importance of cyber-security in business, further research is needed to analyse the suitability of OSSH security products into the Australian small business landscape and the obstacles to be negotiated to remove entry barriers.

There are few reviews dedicated to the small business cyber-security landscape. Our research reveals many constraints in small business adoption of cyber-security practices, but also advantages in the cohort that should be leveraged.

As Table 4 illustrates, data collection in small business cyber-security research requires improvements in regards to scope, consistency and respondent range. Over reliance on surveys [9, 28, 48] as a data gathering instrument.

Detection based small business monitoring to reduce reliance on self-reported statistics.

Industry; Government 4.5

Survey instruments [78] favouring technically savvy [8, 28] cohorts.

Demographically representative respondents of the small business landscape sourced to obtain relevant understanding of gaps and priorities.

Note: In the rapidly evolving field of cyber-security, research is advanced by a combination of different parties: scientific, government, industry, journalistic etc. The"research" bodies referenced here, and in subsequent tables, include all who investigate the cyber-security challenge in question.

From our review of the literature, current cyber-security research lacks representative results and insights on small business only cohorts due to being bundled with better resourced medium businesses. Comparison between widely disparate groups introduces difficulties in producing focused learnings that can be applied to micro businesses and sole traders. Further research is needed on the sub 20 employee cohort to produce targeted findings.

Our research shows that the wide variety of language and definitions used within the cyber-security industry poses issues with interpretation of survey/research findings. Mismatched cohort sizes make comparisons difficult, and sometimes misleading. Standardisation of both group definitions and terminologies is needed within cyber-security research and industry to enable useful comparison and longitudinal use of research data.

The heavy use of self-reported surveys introduces social desirability and awareness bias in results. Rather than relying solely on self-reported data for small business research on quantitative matters e.g. breach rate, technology involved, we suggest a wider deployment of detection based collection. For qualitative research, researchers should actively account and compensate for self-reporting bias, if possible, as part of their results.

Finally as our research highlights, distortion in research results is worsened by the technical methods by which many surveys are conducted. Technical data collection channels such as online surveys, result in samples biased towards respondents comfortable with using technology. Demographic data shows small business owners are not all technically savvy. Surveys need to be accessible and promoted towards both technically savvy and non-technical respondents to ensure all types of business owners are represented.

In addition to the research challenges listed above that being a small business poses many hurdles in understanding and implementing cyber-security, as summarised in Table 5 . 

Our research found that small businesses tend to operate differently from large corporations due to their size, leading to different IT usage pattern. One phenomenon is the tendency to mix personal and business use in devices and securing these devices using traditional security solutions such as MDM and MAM pose ethical and logistical dilemmas. The rising use of cloud services by small business also raises questions around liability and the control and visibility a small business actually has over its IT security. Through demographic statistics we found that small businesses and their owners are at a disadvantage in regards to experience with and knowledge of technology. Given the older demographic, the majority of small business owners have spent a smaller proportion of their working lives on the internet, when compared to younger generations. This lower level of technical literacy needs to be accounted for in training and standards. It is unrealistic to expect non-technical people to self-drive and implement the highly technical security standards available today. Small businesses' tendency to be at an inception stage is also at odds with the process and oversight driven cyber-security standards, with research showing early stage businesses do not have many established processes and management practices. Standards and solutions for small businesses need to factor in this mode of operation. The general lack of maturity around cyber insurance, judicial processes and cost data all contribute to the state of confusion in cyber-security for small businesses. The ongoing litigation between insurance providers and larger corporations shows cyber insurance is not yet an effective risk management tool for small business. Furthermore, the lack of comparable cyber-incident data leaves business owners with little understanding of the potential loss they are insuring against. Compounding this are the general difficulties in successfully prosecuting cyber-criminals, leaving small business owners with a lack of self-efficacy in the judicial system. The low sense of self-efficacy leads to inaction and is reflected in the low rate of reporting. Unfortunately, a low rate of reporting leads to cyber-criminals continuing to operate with impunity.

Our examination reveals the need to better understand small business IT usage, demographics, mode of operation and structural constraints. By understanding the differences and challenges involved, the discussion around cyber-security could match small business users' needs and expectations.

By taking a step back to look at small business as a whole, our research (summarised in Table 7) found opportunities for small business with regards to cyber-security. These opportunities take advantage of the unique landscape and characteristics of small businesses and their owners, and if leveraged, would lead to more resilient small businesses. [150, 151] in the face of challenges -take advantage of traditional flexibility that small businesses present.

Support [117] for small business to develop capabilities around ongoing cyber hygiene and response to breaches.

Cohort size -leverage the large number of small businesses.

Further research into feasibility and assistance required in forming networks [164, 165] that can be an early warning system within small business cohort. Sharing of knowledge to enable peer support. [192, 189, 193] that open source offers.

Our research found a small business owner's agility and responsiveness could lead to better cyber-security responses. Rather than focus on formal and process based security standards, a more effective method would be to teach the skills/capabilities a small business needs to both protect itself as well as respond to an incident. Focusing on the skills needed taps into the natural ways in which small businesses excel at solving problems. Small businesses could use their large numbers to their advantage by establishing alliances. Cyber-security alliances are not new and have been shown to benefit members. To date, alliances have formed between large organisations. Small business would obtain definite advantages from such an alliance, especially in terms of peer support, early intelligence and education. Our research identified a couple of technical cyber-security solutions that could be leveraged for small business cyber-security with the right collaboration and product development. A zero trust model, by assuming no safe network boundaries, aligns the base IT architecture closer to the small businesses mode of operation. By discarding a need to ring-fence disparate IT systems, a zero trust model would drive a realistic security architecture plan to protect small businesses. In a similar manner, open source cyber-security software would give small businesses opportunities both in overcoming financial barriers to entry and having their needs met.

In this study we detailed the effects of cyber-security decisions/actions by organisations (legal or otherwise) on countries outside their geographical boundaries. Within countries with similar societal profile to Australia, such as UK and US, a similarity in cyber-security has been observed in the evidence produced. The parallels ranged from research approaches e.g. survey, interviews, sole trader/micro business exclusion, to government actions e.g. advisories, frameworks etc. These similarities extended to small business dominance of economy, owners' awareness of cyber-security knowledge gaps, as well as comparable technology skill levels.

Given technology landscapes are also very similar across these countries, it is not inconceivable that small businesses in other countries with similar societal profiles to Australia, such as the UK and US, share similar human struggles with cyber-security. As such any solutions shown to work in Australia would merit further examinations in other such countries.

The important role of human influence on small business cyber-security leads us to conclude that the small business challenges and characteristics discussed in this paper are not unique to Australian small businesses.

The urgent need to protect small businesses from cyber-criminals is driven by increasing pressures on small businesses to use technology. Small businesses face pressure to adopt technology from multiple fronts, ranging from customer expectations to world events. Through our examination of evidence from both research and industry, we have identified gaps in the pursuit of cyber-security for small businesses at multiple levels. At a data level, further efforts are needed to clarify and improve understanding around small and micro businesses' ways of working, their IT architecture and real world small business breach loss statistics. The understanding must be gained through representative small and micro business samples and communicated using standardised security terminologies, so that data and lessons can be transferred in a wider context. In addition, we discussed small business constraints that impacts on small business's ability to protect themselves. These range from availability of technical knowledge within the business, organisational maturity and mixed IT ownership. Uncertainties around external factors such as cyber-insurance, legal remediation and cost of cyber-incidents also make small business decisions around cyber-security difficult. Through our overview approach, opportunities to apply non-traditional solutions to cyber-security are also becoming apparent. Promising characteristics including alliances, a new security paradigm and open source community for helping small businesses to build up their defences were also identified. With the right research and support, a more coherent understanding of small business cyber-security needs and risks can lead to more resilient small businesses. It is through a combination of these insights that cyber-security solutions can be made accessible to fit better with small businesses, rather than expect small businesses to fit into current cyber-security solutions. Industry, government and society at large also benefit from the reduced investigative and human costs of cyber-incidents. Supporting small business cyber-security has far reaching benefits, to the economy, the community and national security.

This research is supported by an Australian Government Research Training Program (RTP) Scholarship.

Tracy Tam is a doctoral candidate (Mathematical Science) within the School of Science at RMIT University. She holds a Bachelor degree (with Honours) in Telecommunications Engineering from Monash University. She worked for a decade as an engineer within the IT industry. She also has experience in managing her own small business. Her research interests include cyber-security within small business context, cyber-security human factors and security risk management.

Prof. Asha Rao is Professor and Associate Dean (Mathematical Sciences) within the School of Science at RMIT University, Australia. She is an Australian 2019-2020 Superstar of STEM. She has won over AUD 3.5M in grants since 2007 from Government and Industry to research a variety of issues including insider threat and continuous authentication. As a trans-disciplinary researcher, she works on a variety of problems, ranging from designing better codes for communication, exploring the mathematics behind quantum cryptography, finding links between various combinatorial structures, to cybersecurity problems such as risk management for SME, detecting insider threats, and money laundering. Joanne Hall is a Senior Lecturer in mathematics and cybersecurity at RMIT. With a background in abstract algebra, her research is on quantum key distribution and post quantum cryptography. Dr Hall completed her PhD at RMIT in 2011 on quantum key distribution. She has held research and teaching positions at Charles University in Prague and the Queensland University of Technology. As the internships coordinator for the Master of Cybersecurity Degree, Dr Hall has a keen interest in the cybersecurity needs of businesses.

NT Chief Minister Delivers Emotional Address to Territorians About Coronavirus Shutdown -ABC News Video

Australia's Cyber Security Strategy -Enabling innovation, growth and prosperity

Small Business Sector Contribution to the Australian Economy

I Lost My Identity to a Fraudster, and It Took Six Years to Clean Up the Mess

Margaret Atwood says thieves targeted Handmaid's Tale sequel

Victims to Vigilantes

Hiscox Cyber Readiness Report

Australian Cyber Security Centre and Australian Signals Directorate

GDPR Legislative Act

Annual Civil Monetary Penalties Inflation Adjustment

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Office of Parliarmentary Counsel

Co-designing compliance to the Anti-Money Laundering Act within the small and medium enterprise sector

Designated non-financial businesses and professions: The weak link in Australia's AML/CTF regime

Small to Medium Enterprise Cyber Security Awareness: an initial survey of Western Australian Business

Enabling Information Security Culture: Influences and Challenges for Australian SMEs

Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia

Challenges in fostering an information security culture in australian small and medium sized enterprises

Cybersecurity Risk Management in Small and Medium-Sized Enterprises: A Systematic Review of Recent Evidence

Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments

On small-scale IT users' system architectures and cyber security: A UK case study

Information Security Culture Assessment of Small and Medium-Sized Enterprises in Tanzania

Effective Information Security Strategies for Small Business

Structure and Challenges of a Security Policy on Small and Medium Enterprises

A Systematic Literature Review of Cloud Computing Adoption and Impacts Among Small Medium Enterprises (SMEs)

Big cyber security questions for small business The state of cyber fitness in Australian small businesses

Cyber Aware

Nonemployer Statistics by Demographics (NES-D): Using Administrative and Census Records Data in Business Statistics

2015 SUSB Annual Datasets by Establishment Industry -Data by Enterprise Employment Size

Business Population Estimates for the UK and Regions

Culture's Consequences : Comparing Values, Behaviors, Institutions, and Organizations Across Nations

Key Facts Survey of Adult Skills ( PIAAC ): Full Selection of Indicator -UK, US, Australia and OECD Data Table

Personality Characteristics and Growth-orientation of the Small Business Owner-manager

Prospecting for Strategic Advantage: The Proactive Entrepreneurial Personality and Small Firm Innovation

Worldwide Spending on Security Solutions Forecast to Reach $103.1 Billion in 2019, According to New IDC Spending Guide

Examining the Effects of Knowledge, Attitude and Behaviour on Information Security Awareness: A Case on SME

Understanding the Violation of IS Security Policy in Organizations: An Integrated Model Based on Social Control and Deterrence Theory

Self-Confidence Trumps Knowledge : A Cross-Cultural Study of Security Behavior

The 10 Deadly Sins of Information Security Management

Does One Size Fit All? Examining the Differential Effects of Is Security Countermeasures

Measuring information security performance with 10 by 10 model for holistic state evaluation

The Future of Cyber Survey

The Equifax Data Breach, Majority Staff Report

Ticketmaster admits customer details may have been stolen in hack

Tradies Frustrated by Banks as Business Email Scam Costs Them $51000

Framework: Introduction and methodology

8167.0 -Characteristics of Australian Business

Growing the Digital Economy in Australia and New Zealand. Maximising Opportunities for SMEs

State Government of Victoria

Resource Scarcity in SMEs: Effects on Incremental and Radical Innovations

Review of Cybersecurity Research Topics, Taxonomy and Challenges: Interdisciplinary Perspective

Participants Sought For Survey On Small And Mid-Size Business Cybersecurity Issues

ICT Security in Enterprises

Variables Influencing Information Security Policy Compliance: A Systematic Review of Quantitative Studies

Experienced Benefits and Barriers of e-Business Technology Adoption by SME Suppliers

SMBs In the Digital Race for the Customer

Information Systems Security Issues and Decisions for Small Businesses: An Empirical Examination

The Cost of Malicious Cyber Activity to the

United Nations Office on Drugs and Crime

Beyond the "Narrow Data Base": Another Convenience Sample for Experimental Research

Security Developer Studies With GitHub Users: Exploring a Convenience Sample

Cost of a Data Breach Report

Cyberthreats and Solutions for Small and Midsize Businesses

1321.0 -Small Business in Australia

SME Employers

Small and medium-sized enterprises (SMEs)

Table of Small Business Standards Matched to North American Industry Classification System Codes

The Impact of Group Size and Proportion of Shared Information on the Exchange and Integration of Information in Groups

Channels of Communication in Small Groups

Team Coordination, Communication and Knowledge Sharing in Smes and Large Organisations

Understanding Self-Report Bias in Organizational Behavior Research

Social-Desirability Bias and the Validity of Self-Reported Values

Most ICO Data Breach Reports Late and Incomplete Prior to GDPR, Reveals Redscan FOI

Online Fraud Victimisation in Australia: Risks and Protective Factors

Administering, Analysing, and Reporting Your Questionnaire

A Comparison Between Mail and Web Surveys: Response Pattern, Respondent Profile, and Data Quality

Small Business Counts, Small Business in the Australian Economy

A Software Gateway to Affordable and Effective Information Security Governance in SMMEs

IT Service Management From a Perspective of Small and Medium Sized Companies

Developing Cybersecurity Education and Awareness Programmes for Small-and Medium-Sized Enterprises (SMEs)

Approaches to IT Security in Small and Medium Enterprises

Approaches to IT Security in Small and Medium Enterprises

Security Related Issues in Saudi Arabia Small Organizations: A Saudi Case Study

Influencing Factors of Information Security Management in Small-and Medium-Sized Enterprises and Organizations

Risk and the Small-Scale Cyber Security Decision Making Dialogue -A UK Case Study

8165.0 -Counts of Australian Businesses, including Entries and Exits

Huge Rise in Hack Attacks as Cyber-Criminals Target Small Businesses

A Whopping 78% of Small Business Are Being Targeted by Cyber Criminals. Here's How to Stay Ahead

Planning the Development, Testing, Staging, and Production Environments

Setting up Systems for a Staged Upgrade

Network Security Testing Tools for SMEs (Small and Medium Enterprises)

Metasploit Framework

The economic value of cloud services in Australia

Gartner Forecasts Worldwide Public Cloud End-User Spending to Grow 18% in 2021

Uber Eats Demand Soars Due To COVID-19 Crisis

Uber vs. Lyft: How the Rivals Approach Cloud, AI, and Machine Learning

Design and Implementation of Virtual Security Appliances (VSA) for SME

Spyse Subscriptions

Purchase Tenable Solutions

External Vulnerability Scanner

AWS Customer Support Policy for Penetration Customer Service Policy for Penetration Testing

Microsoft Cloud Penetration Testing Rules of Engagement

Cloud Security FAQ

Who Should Be Responsible for Software Security? a Comparative Analysis of Liability Policies in Network Environments

Cybersecurity Liability: How Technically Savvy Can We Expect Small Business Owners to Be?

The Connected Business -ACMA research snapshot

Mobile Device Security Considerations for Small-and Medium-Sized Enterprise Business Mobility

GSuite by Google Cloud Endpoint Management

Apple Is Making Corporate 'BYOD' Programs Less Invasive to User Privacy

Technology decisions for BYOD with EMS -Microsoft Docs

Overview : Manage devices with Google endpoint management Tailor your basic mobile device management

Average IT Administrator Salaries

Happy 25 years of the internet, Australia

Survey of Adult Skills (PIAAC): Full selection of indicators

Small Business Owners: Too Busy to Train?

Five Stages of Growth in Small Business

The Challenge of Implementing Information Security Standards in Small and Medium e-Business Enterprises

NIST Framework for Improving Critical Infrastructure Cybersecurity

ISACA

AS ISO/IEC 27001 Australian Standard Information Technology -Security Techniques -Information Security Management Systems -Requirements

Australian Signals Directorate and Australian Cyber Security Centre

Cyber Security: The Small Business Best Practice Guide

Australian Signal Directorate Essential Eight Maturity Model

Small Business Cyber Security Guide

Protection Motivation and Self-Efficacy: A Revised Theory of Fear Appeals and Attitude Change

How Smaller Businesses Struggle With Security Advice

Design Guide Designing an Information and Technology Governance Solution, Information Systems Audit and Control Association

Cyber Insurance Products

Cyber Insurance Australia Quote Form

Fact sheet Cyber Liability Insurance

Is Cyber Insurance Really Worth It?

Big Companies Thought Insurance Covered a Cyberattack

Enhancing the Role of Insurance in Cyber Risk Management

Counting the Cost: Cyber Exposure Decoded

The Untold Story of NotPetya, the Most Devastating Cyberattack in History

Petya Cyber Attack: Ransomware Virus Hits Computer Servers Across Globe

DLA Piper Paid 15000 Hours of IT Overtime after NotPetya Attack

Australian Government attribution of the 'NotPetya' cyber incident to Russia

Challenges of Responding to Online Fraud Victimisation in Australia

Innovations in international cooperation to counter cybercrime: The Joint Cybercrime Action Taskforce

The Most Wanted Man in The World

This Is Everything Edward Snowden Revealed in One Year of Unprecedented Top-Secret Leaks

Coronavirus wreaks havoc on wedding industry as Chinese factories remain closed and workers quarantined

Live List: Melbourne Restaurants Pivoting to Takeaway Due to Coronavirus

One of KC's Best Craft Cocktail Bars Adapts With Bottled Drinks and Kits During Coronavirus Quarantine

Coronavirus forces businesses to adapt to survive the COVID-19 pandemic

Craft Brewer Pivots to Hand Sanitiser as Firms Rise to Virus Challenge

Towards a Theory of Entrepreneurial Resilience : A Case Study Analysis of New Zealand SME Owner Operators

How Entrepreneurial Resilience Generates Resilient SMEs

You Can Teach Old Dogs New Tricks: The Factors That Affect Changes over Time in Digital Literacy

Examination of Personality Characteristics Among Cybersecurity and Information Technology Professionals

An Examination of the Vocational and Psychological Characteristics of Cybersecurity Competition Participants

Non-Technical Skills Needed by Cyber Security Graduates

The Big Five Personality Dimensions and Entrepreneurial Status: A Meta-Analytical Review

Small Business Workshops and Events

Small Business Cyber Security Guide

Towards Information Security Behavioural Compliance

From Information Security to Cyber Security

IDCare

ReportCyber, Are You a Victim of Cybercrime?

Australian Competition and Consumer Commission

2019 Data Breach Investigations Report

Cyber Security. Simply. Make it Happen. Leveraging Digitization Through IT Security

AusCERT Become a Member

Become a Partner

The Effect of Strategic Alliance on Small Business Performance: A Meta-Analysis

Zero Trust Architecture -NIST Special Publication 800-207

No More Chewy Centers: The Zero Trust Model Of Information Security Vision: The Security Architecture And Operations Playbook

Incident Report on the Breach of the Australian National University Administrative Systems

Beyondcorp : A New Approach to Enterprise Security

Chaffetz Urges 'Zero-Trust Model' For Network Security

Beyondcorp : A New Approach to Enterprise Security

Build Security Into Your Network's DNA: The Zero Trust Network Architecture

BeyondCorp 5: The User Experience

BeyondCorp Part III: The Access Proxy

Open source software guideline Guideline

Simple, clear and fast public services

Vic Open Source Policy.pdf

A Guide to Open Source Software for Australian Government Agencies

Snort Intrusion Detection System

The netfilter.org Project

NMap Tool

GNU General Public License

Creative Commons

Free CyberSecurity Tools : The Ultimate List

Should You Adopt Open Source Software?

ITIL usage, and use of ITIL recommended practices and the IT outsourcing relationship quality

What's the difference between Fedora and Red Hat Enterprise Linux?

Open Source Software in Industry

The Bazaar inside the Cathedral: Business Models for Internal Markets

Linux Australia