Cyber security for small business


Cyber security - homepage

The Internet in its broadest sense is the Swiss army knife of business tools. All businesses at the least use email, some of their functions tied up with the cloud, or Point of Sale (POS), social media channels are the primary marketing tools, CRM is where all the customer data is, and many have their whole business built around a digital landscape. As we all become more enmeshed with online as a place for our business operations, whether front or back of house, it is important to be across how to not just do good business online, but how to do safe business online – and protect and mitigate business from being open to cyberattack.

Cyberattacks have happened to some of Australia’s biggest and most secure organisations. When those organisations don’t succeed at fending off attacks, it can seem overwhelming for a small business to know where to start and what to do. You may think you’re too small to be noticed, but this is exactly what makes you a target, as lots of small attacks add up to a pile of data and plenty of disruption. Recent surveying by the Australian Cyber Security Centre (ACSC) found that:

  • 72 per cent of businesses had previously experienced a cyber incident, thought it likely or almost certain to experience another one in future.
  • Nearly 50 per cent cannot or will not spend more than $500 on IT security annually.
  • One in five small businesses that use Windows have an operating system that stopped receiving security updates in January 2020.
  • Nearly one in five Mac users were unaware of what operating system their business was using.
  • The most common barriers identified in the survey for small business owners to implement good cyber security practices are:
  1. Lack of dedicated IT staff
  2. Complexity & self-efficacy
  3. Planning & responding
  4. Underestimating risk of cyber security incidents

Due to their lack of resources and know how, small businesses often have the least-protected websites, accounts and network systems — making cyberattacks a relatively easy job. Scaremongering via the media may make keeping your data and revenue safe seem an impossible task. The good news is managing Internet security is simply a matter of knowing the risks and mitigations for your business, thinking through a strategy and putting suitable measures in place.

Cyber Security – What are the risks (and remedies) for my business?

Cyberattacks on small business fall under a few different categories. These tend to mimic the same strategies used with big business and government. You may wonder what your small or micro business could possibly have that would be of interest to cyber criminals hanging out in the dark web. The answer is the same thing that motivates all criminal activity – money, data and often just pure malicious disruption. While you may be a little fish, when data is stolen from a number of little businesses, all those small fish adds up to a big school. As most small businesses don’t have the security in place like big ones do. To mix a metaphor, it’s like stealing candy from a fish bowl. Let’s look at some of the main areas where your business can be at risk:

Phishing - Don’t get caught in the net

Speaking of fish…even though phishing is typically something associated with individual email accounts and home internet security issues, it does have the potential to affect small businesses as well. With a phishing scam, staff in the business or organisation receive emails that include links that urge them to click and respond. As hackers get more sophisticated, so do their scams. In the earlier days of the internet, these emails were clearly bogus. These days, that is often not always the case. In some instances, phishing emails look much like real emails, such as one from a client, a supplier, a business partner like a bank or Telstra or an energy or gas utility. These emails are deceptive and seamless, and for a busy small business owner, are easily clicked on as they work through their inbox at pace. When they see familiar logos and fonts, it is more likely that their guard will be down, and the risk of clicking is high.

To help deal with this type of problem, small business owners and employees should make haste slowly with email. Your bank will never ask you to provide personal details in an unsecured email, especially passwords or date of birth or other key information.

Carefully check the email address, as often the key is in very subtle changes to otherwise near identical addresses – rather than for example. Never respond to pop-up messages and permanently delete anything that looks remotely like spam. Be alert but not alarmed as they say. If you feel concerned, check the website (NOT through the link in an email!) of the business it claims to have originated from, or ring them to see if they have sent it.

Beware of invoices for things you haven’t actually purchased. These are a common ploy, and too commonly paid out without scrutiny. Routinely check your business accounts and scan them for irregular transactions, if your security has been compromised you want to find out before your account is emptied.

As more businesses are using messaging services such as Whatsapp and Messenger to communicate with and market to their audiences, these are the new frontiers of sneaky phishing or malware and are harder to recognize sometimes in a message format. Cyber security awareness is not just for you, but also your staff, as it is a team effort to make sure that you stay safe. By making your employees aware of this type of attack on Internet security, it is generally much easier to reduce the risk for your company. This means training, and staff need to be made aware of how to be part of the vigilance, what they need to look out for, and how to deal with anything suspicious.


If you weren't busy simply avoiding a phishing trip, there are other significant avenues of fraud being used against small business and individuals. As with phishing, they rely on the human frailties of trust and busyness to trick people into giving away information that allows hackers to fraudulently transact. Smishing is a phishing cybersecurity attack carried out over mobile text messaging. When cybercriminals "phish," they send fraudulent emails that seek to trick the recipient into clicking on a malicious link. Smishing simply uses text messages instead of email.

There are two primary ways your information is obtained - the smishing URL link might trick you into downloading malware — malicious software — that installs itself on your phone, it might be masquerading as a legitimate app, tricking you into typing in confidential information and sending this data to the cybercriminals. The other way is that the link in the smishing message might lead to a fake website that requests you to type sensitive personal information. Cybercriminals use custom-made malicious sites designed to mimic reputable ones, making it easier to steal your information. These deep fakes are very well constructed, so if you weren't looking closely at red flags in the URL or links you may easily miss the deception.

An attacker’s smishing scheme is successful once they’ve used your private information to commit the theft they aimed for. This goal could include but is not limited to directly stealing from a bank account, committing identity fraud to illegally open credit cards, or leaking private corporate data.

Smishing deception is enhanced due to users having false confidence in text message safety. Email fraud is better known and publicised - but still manages to strip millions of dollars from business and consumers every year. When people are on their phones, they are less wary. Many assume that their smartphones are more secure than computers but smishing can attack any mobile device with text messaging capabilities reguardless of brand or platform.

The main risk factor really is that you use your smartphone on the go, often when you’re distracted or in a hurry. This means you’re more likely to get caught with your guard down and respond without thinking when you receive a message asking for bank information or to redeem a coupon - or pretending to be a family member who has lost their phone and needs to borrow some money in a hurry.

The good news is that the potential ramifications of these attacks are easy to protect against. Do nothing - if you don't take the bait you can't be hooked on the scam.

Here are a few strategies to protect yourself and your business:

  • Do not respond. Even prompts to reply like texting “STOP” to unsubscribe are used to identify active phone numbers, refuse to engage.
  • Slow down when it's urgent. You should make haste slowly with urgent account updates and limited time offers as signs of possible smishing. As yourself would this business really demand you engage this way?
  • Call your bank or the business directly. Legitimate institutions don’t request account updates or login info via text. The time it takes to call will be far less than trying to recoup your losses.
  • Avoid using links in the message. Go directly to official contact channels when you can.
  • Check the phone number. Odd-looking phone numbers, such as 4-digit ones, can be evidence of email-to-text services. This is one of many tactics a scammer can use to mask their true phone number.
  • Use multi-factor authentication (MFA). Using MFA or Google's authenticator is the safest way to ensure you are safe to proceed.
  • Never provide a password or account recovery code via text. Never. Ever. Only ever use official account sites and check for the lock icon to make sure they are secure.


With consumers getting savvier at picking up on the more common phishing scams, like phishing and fake websites, cybercriminals are now turning to alternative scamming methods. If you have a mobile phone, you’ll likely need to contend with the increasing number and sophistication of vishing scams. Vishing is like smishing and phishing but uses voice scams to con a business or consumer. With vishing, criminals typically pretend to be from an official source, such as a bank or government organization. Many vishing scams may originate outside of your own country.

As such, a lot of vishing scammers will use voice-to-text synthesizers and recorded messages to mask their identity. You know the type, the robotic voice telling you the police are on their way to arrest you or the tax office is coming after you for fraud. These are the clumsier attempts, but for people who are unused to the way of scammers can seem very real and very scary, and prompt them to go along with the fraud out of fear.

Most vishing attempts try to convince the victim to give up PIN numbers, Social Security numbers, credit card security codes, passwords, or other personal details. That information will then be used for some type of identity fraud, or to later steal money directly from an account. In some cases, the vishing scammer will attempt to gain access to personal or financial accounts (such as a bank account) in order to steal information or money.

Most vishing scammers now rely on what’s known as caller ID spoofing. This allows them to send out phone calls that appear to be from a legitimate or localized source. Targets may feel more compelled to pick up the call as a result. However, many vishing scammers also leave a pre-recorded voicemail message should the call be ignored to further legitimise their mission.

Common types of vishing you’re likely to experience include:

  • Supposed fraud or suspicious activity on your bank account
  • Overdue or unpaid taxes to the ATO
  • Prize or contest winnings
  • Fake computer tech support calling to remotely access your PC to fix a problem
  • Fake government agencies (such as a law enforcement agency)

For businesses, vishing scammers may be more likely to put real people on the line. The scammers may warn about fraudulent or suspicious bank transfers or pretend to represent some form of computer or IT support service. The goal is to gain access to financial account information or gain remote access to computers. Some reports include people giving their supposed Telstra staff number for validation, but stay vigilant and request any details of the issue to be emailled with a job number and call Telstra directly not through any email contact details.

Like smishing or phishing the best defence is to ignore, remembering that legitimate agencies and banks will never call or ask you to give personal data over the phone. Don't answer calls from unknown numbers and be wary of voice messages that don't sound legit. Follow the advice for smishing above, and remember your phone is vulnerable to attack but you have the power to be discerning and stay safe. Make sure your staff and teams are trained and understand that a cyber attack can come on any mobile device - whether a work or a personal one.

Network security

Having a network that is not secure can be a massive problem as well, and one which is common in small businesses. An insecure network is a wide open door for anyone who wants to enter. When you or your IT provider is setting up a wireless network, it is important to make sure the default password is changed. Humans are the weakest link when it comes to network security, unbelievably, many small business owners or staff set up a network and leave the password as is. They never believe that somebody is going to access their company’s information.

It sounds unbelievably simple, but it is remarkably common, as it leaving the password the same, or making it unforgettable which normally means easy for a hacker to crack (abc123 mypetsname anyone?). Best practice is to use a number of networks, with separate ones for guests, contactors and staff so there is less chance you will be compromised. These networks also need passwords that are regularly changed, and to have limited access.

Changing the default passwords can make a huge difference. Using tools like LastPass to keep your passwords permanently uncrackable is another belt and brace approach. It is also a good idea to have high quality encryption on the network. For the best browser security, you will want to keep your preferred browser updated with the latest patches. Avoid using outdated browsers like the old Internet Explorer and Safari. Firefox and Google Chrome both give automatic updates so that you don’t have to worry about updating security for each browser.


MFA/2FA - Mulit-factor or two-factor authentication

With the increasing use of cloud and accessible anywhere service, this is a surefire path to security. Two-factor authentication is where you use two sources to identify you are who you say you are. If you use services like Xero or MyGov you will be familiar with this. Enable it wherever it is offered to ensure that you and you alone is accessing your sensitive data.

The Australian Cyber Security Centre has created a series of step-by-step guides to turn on 2FA. You can find out more here.

Disasters happen

The 2020 fires in Tasmania and the broader devastation of COVID19 should be a graphic reminder that disasters and pandemics happen, they happen to us, and when they do there is often not time to do anymore than save the things that matter the most like people and pets. You don’t want to double the devastation of business disruption by not able to access any of your business data.

Likewise if you are the subject of a cyberattack and your business systems get locked down or hijacked, you want business continuity. Maintain and where possible automate backup of locally stored or portable data - phones/laptops etc. This is the fastest and most reliable recovery from attacks such as crypto lockers, blocked access and theft. You must test the arrangements you have in place regularly to ensure they work and think about what the critical documentation is you would need for business continuity. If you use cloud services for storage these too have their outages, and a regular backup makes sure you are covered and in control.

Make regular backup copies of your key business and customer data so that if you ever lose your information, you can retrieve it quickly. Also, avoid keeping your backup in the same physical location. It doesn’t have to be a disaster to be disastrous – what if the internet goes down for a few hours and you have no other means of transacting with your customers, this can severely disrupt, so plan for the worst, and be ready to be your best.

Cyber security is important, so too is actual physical security - it’s not going to help if your backup storage gets stolen right, so be mindful of where your data is stored and who has access to it.

Virtual Private Networks (VPN)

The odds are pretty high that you and some, if not all, of your employees are working remotely, either due to travel, working from home, being on call or simply checking email or doing tasks outside of the normal work hours. Once the future of work, it is the reality of our daily lives as we have become more mobile in our work practices along with our devices. Traditionally, businesses use private networks that are primarily intended for internal use. These are often protected with firewalls meant to block unauthorized access from outside the company. To better protect the network and the data transmitted and stored on it, security professionals recommend small business use a Virtual Private Network (VPN) when accessing the network remotely.

By using a VPN for remote connections, small businesses build in a layer of security they otherwise may not have. The VPN for remote business networking keeps sensitive information private. This is especially important for those who depend on hotel or other public Wi-Fi hotspots for their work connections. And while VPN connections tend to be secure, they aren't foolproof. Any network can be penetrated, so it is vital to use extra layers of protection, like encryption. Human nature, as in all things, also comes into play. By not using best security practices, like fully logging out of the VPN connection when finished, or having weak or no passwords, leaves the network vulnerable to outsiders.

Inside (with) jobs

While many of the threats to do with Internet security come from outside sources, a disappointing amount of them come from within your business. An upset employee can be a dangerous weapon for your business and brand. In some cases the employee may have access to important data including customer information or information on other employees - they may also have access to information that is critical to your business’s success. When disgruntled, it may be easy for them to steal and then to sell to a competitor. If they don’t steal or sell it, they might decide that they want to delete it causing you a major headache. In a world where brand and social media are inextricably linked, employees that have access to your social media channels passwords can be a significant risk if they leave with an axe to grind and want to make maximum impact in a virally connected world.

Reducing the risk of a single employee causing substantial harm to a company is a matter of strategic management, and in a more personal way, being on top of your team and how they are travelling with the business as an employee. Regular performance management, or even regular check-ins, and following up when you instinctively think there is a problem emerging is the best way to avoid a fully blown crisis. A happy employee nearly always tends to be loyal and productive. When staff feel unappreciated, underpaid or unfulfilled, this is a danger zone for more than just passive under productivity. You can protect your business from staff initiated issues by dividing the most critical responsibilities and functions between different employees. This way, it limits the amount of access a single employee has to data. Also, it is a good idea to make sure the passwords change every 90 days.

When an employee leaves the company, it’s essential that you remove their account and passwords right away, if possible prior to them being given notice – there are many salutary lessons from staff who have had the time to clean out their desk and destroy their employers brand on the way out. While it takes a little extra time, you can also take steps to reduce the possibility of dealing with a disgruntled employee before hiring them. By doing background checks, educational checks, employment checks, and most critically social media account checks, you can be sure you are hiring the right people for the job.

Stolen devices

With so much of our business being undertaken on mobile devices, these light, liftable and lost assets represent a really significant risk to small business if they aren’t well managed and tracked. If an owner or employee uses his or her smart phone, tablet, or laptop for work, and they lose that device, the company could become compromised. When information is accessed or stored through laptops, tablets, or smart phones, it needs to be encrypted. The encryption has to be strong, as it will be the last means you have if your device is out there in the world unprotected.

Again, having a good firewall in place is essential, as is keeping passwords complex and regularly changed, backing up data in the cloud. Simple actions such as locking the screen with the shortest amount of idle time, having device tracking apps activated where possible, and ensuring that you see your mobile devices as extensions of your business. You wouldn’t leave your cash register unattended, so don’t leave your devices vulnerable to theft. And when it comes to a bricks and mortar business, low-tech physical security is still as important as ever, so be sure your business has secure locks, shredders, and a fire-proof safe in addition to any alarm system you may have installed.

Be your own security guard

Learning about trends in cyber security can help you protect all the hard work and other resources required for running your business. Use VPNs as a cyber security measure, and understand the importance of disaster recovery planning as part of your strategic document set. Employee training is one of the most crucial elements of a strong cyber security strategy, because if your employees aren’t making use of good security practices, you will still be at high risk, even if you use a VPN or can remotely wipe devices. Cloud business applications typically have excellent surveillance for intrusion, controlled access, auditing, and strong perimeters that keep cyber criminals at bay, so utilizing the cloud is a good start and often a smart way to manage various elements of your business in a win-win for safety and efficiency.


Internet security checklist

To recap – here is your critical checklist of do’s and don’ts when it comes to keeping your small business safe from unwanted cyber attacks, hacks and human threats!

  • No unknown downloads. Make a rule against downloading files from unknown senders.
  • Check your Firewalls. Make sure everything is up-to-date on all machines.
  • Use current virus protection on all devices. Keep it current and updated whenever new patches become available.
  • Insist upon strong passwords. Weak passwords are like an open door to your business.
  • Update your operating system regularly. This is especially important when new security patches come out. Many computers do this automatically, but make sure you have the auto update function turned on so you don't miss out.
  • Use a virtual private network (VPN). These connect you to the web with an encrypted connection so data being shared online can't be seen by third parties. VPN providers offer secure data connections between remote workers and your network too, which can be especially helpful if you send workers into the field (for deliveries or repairs, for example).
  • MFA/2FA. Enable multi or two factor identification on all devices and accounts where it is offered. Help can be found here.
  • Make sure mobile devices used for work are secure. Don't store important passwords on any mobile device. Learn how to use remote wipe capability on your phones and tablets.
  • Disaster recovery plan. Not having a plan is a disaster. By thinking through the critical elements of your business that could be compromised, and what the damage may be, you can apply the fixes and antidotes before anything happens - and have a plan of attack when it does.
  • NDB (notifiable data breach). Never send sensitive data unencrypted and unsecured, not just end to end via email, but physically controlling who has access to the data/file. A document containing personally identifiable data or medical records for example should be transmitted via a password protected PDF (for example) as a minimum.
  • People are flawed. Yes, even you. So don't assume everyone is doing the right thing, and be actively alert and across your staff, their actions and all elements of your business and give them adequate security training.
  • Outsource overwhelm. All too hard? There are plenty of companies and consultants who will happily come in, audit your business and provide solutions. Whether it is your time and money or their time and your money, this is a non-negotiable expense that will save you far more than it will cost you in the long run.

The good news is managing Internet security, even in a disaster or a global pandemic, is simply a matter of knowing the risks and mitigations for your business, thinking through a strategy and putting suitable measures in place. Read through this fact sheet and check off what applies to your business, keep up to date with what is happening nationally through the Australian Cyber Security Centre and be wary of any unsolicited attempts to ask for sensitive personal or business information, even if they seem to come from a reputable organisation. Stay healthy, stay trading, stay alert (but not alarmed).