For cleaning company executives, it would be easy to dismiss the recent ransomware attacks in Australia as an irrelevance for them.

After all, why would cyber criminals worry about relatively small businesses when they can go after the big fish?

Such complacency is highly risky, according to Monica Schlesinger, a cybersecurity governance expert and CEO of the Australian Health and Science Institute.

She notes the extensive use of subcontracting in the cleaning sector means smaller players are often called in to assist bigger companies.

“This three-person business is doing the cleaning services for some high-security companies and they’re suddenly the gatekeeper,” she says.

“They open the door to that business, whether they open the door with a physical key, a swipe card, or with a phone that is not secure and can be hacked.”

Such a scenario can leave businesses of all sizes exposed to cybersecurity risks and potential class actions if a ransomware incident occurs.

“Putting your head in the sand doesn’t work anymore,” Schlesinger says. “An attack can affect not only your company but your clients’ networks as well.”

High price to pay

Ben Howden, Asia-Pacific director of growth at workforce management solutions business TEAM Software, says the recent cyber-attacks highlight the critical importance of investment into IT and cybersecurity within the cleaning industry to protect against possible financial and reputational losses.

“Given the profile and scale of these cyber-attacks, businesses, employees, and consumers now have a heightened awareness of how their data is being handled by third parties,” he says.

Howden says given the notable increase in cyber-attacks during the past 12 months, cleaning companies should consider taking the following steps to reduce risks:

• engage a professional cybersecurity provider to conduct a security review of your business
• ensure staff are trained in IT security to minimise the risk of a security breach
• consider hiring someone with experience to manage IT security
• conduct a review of your IT and software providers to ensure they are following security and data best practices
• ensure your business has a defined disaster-recovery plan in the event of a cyber-attack or data breach.

Directors and boards on notice

Regardless of the size of the cleaning operation, Schlesinger says directors have a duty of care that includes understanding and acting on cybersecurity risks, while also appreciating that attacks can impact them personally.

“It takes vision, time and knowledge,” she says.

Crucially, Schlesinger says cyber threats are much more than an IT risk and require multiple lines of defence – incorporating staff training; HR policies that protect the business and its data; and robust finance and risk-management strategies.

To that end, cybersecurity should be on the agenda at every meeting, with CEOs, directors and IT experts driving the knowledge and education that helps ensure the long-term sustainability of the company.

Howden says cleaning companies drive the majority of their revenue from supplying labour and, therefore, typically employ large workforces.

As a result, they store a large amount of personally identifiable information (PII) employee data across a number of different internal and external systems.

“PII data is particularly sensitive as it can be used on its own, or with other information to identify, contact or locate a single person, or to identify an individual in context,” Howden says.

“This type of data is attractive to cyber criminals as they can use it to hold businesses to ransom, or drive income from selling the data, or attacking individuals.”

He says the nature and volume of this data puts cleaning companies in a position of increased risk, noting that it was only recently that employees at both public and private sector organisations had their data compromised during a ransomware attack on a popular timekeeping and payroll solution that is used by several large facilities management and cleaning companies.

Get appropriate insurance

The primary lesson to be learned from the recent spike in cyber-attacks is that education is the key, regardless of the size of the business, according to Jane Mason, head of product, channels andrRisk at insurance service provider BizCover.

She notes that both the Optus and Medibank attacks largely came down to human error. Optus left an application programming interface (API) – which is essentially a gateway to information – open online, allowing hackers to access sensitive customer data.

The Medibank attack, which released the sensitive medical records of thousands of people, occurred simply because one single desk support worker did not have multi-factor identification.

In addition to ensuring that qualified IT professionals install and manage best-practice cybersecurity systems such as encryption, firewall and antivirus software, Mason says businesses should take out a cyber insurance policy to protect against the financial consequences of an attack.

For any risk, Mason says business owners in the cleaning industry need to ask themselves, ‘could I stay afloat by myself if this risk were to happen?’

“If the answer is ‘no’, then you might want to consider if there is an insurance product that can protect you from that risk.”

She adds that a business is at risk of cybercrime if it uses PoS devices, emails or has online systems (it does not need to be a website) to manage business, or if it handles important data that could be compromised (that could either be personal data related to your customers, or even your IP).

“Many small businesses are also at risk of phishing, where a fraudulent request is sent via email to charge a bank account. This is a very real scenario that can happen to nearly any business owner, regardless of the industry.”

Mason says a cyber liability policy can protect a business from the financial consequences of an attack.

“Not only might businesses need to deal with the cost of recovering the data and investigating the attack, but they may need to account for business-interruption costs and the expense of bolstering cyber defences. Then there might be the cost of dealing with the reputational damage cybercrime can cause, as well as the potential fines and legal costs associated with the attack. If you don’t think your cleaning business can handle these situations, then you may want to consider getting cyber liability insurance on top of your current insurance.”

Mason says there are two typical errors that small business owners make when taking out cyber insurance. First, some may think that they do not need to worry about cybersecurity as much because they are covered by cyber insurance.

“But cybersecurity and cyber insurance are both critical parts of a cyber risk plan that serve different functions.

“Cybersecurity helps prevent cybercrime from occurring and reduces the likelihood and impact of an attack. Cyber insurance protects your business from the consequences if an attack occurs.”

Second, some small businesses may think they can just set-and-forget cyber insurance, but if their risk changes their insurance may not cover the situation.

“If the business is operating with new online systems or equipment since the last time they renewed their policy, it may need a review to cover the new risks.”

Safeguarding your data and documents

TEAM Software’s Ben Howden provides advice for cleaning companies seeking to protect data related to tender documents, contracts, employee information and payroll technology.

1. Ensure employees’ operating systems and software are updated regularly to ensure they are using the most secure version.
2. Implement regular or automatic data backups of your business’s most important information.
3. Utilise multi-factor authentication (MFA) for access to key systems. MFA typically requires a combination of something you know (username and password), something you have (physical token, authenticator app) and something you are (a fingerprint or another biometric).
4. Implement access controls to manage who can access specific data within your business environment. Access controls help by restricting access to files, applications, databases, mailboxes, networks and other sensitive information. Many businesses follow the principle of ‘leave privilege’, which gives users the bare minimum permissions they need to perform their job.
5. Consider using a password manager such as 1Password to enforce minimum password rules and prevent re-use of passwords across multiple systems.