For a small business, even a minor cyber security incident can have devastating impacts
So how can you stay ahead of cybercriminals?
By following the basic security measures in this guide, starting with these important steps:
Turn on multi-factor authentication
Update your software
Back up your information
You can download the full guide below and view our educational pack for small businesses.
If you need more help, talk to an IT professional or a trusted advisor.
Measures to stay cyber secure
Secure your accounts
Multi-factor authentication (MFA) makes it harder for cybercriminals to access your accounts.
MFA means you need two or more pieces of information to login. For example, logging into an account with your username and password, then using a unique code from a text message or an authenticator app.
You should turn on MFA where possible, starting with your most important accounts. Read our guides on MFA.
Protect your accounts from cybercriminals with a secure password or passphrase.
Use a password manager to create and store unique passwords or passphrases for each of your important accounts. For accounts you sign into often, like your password manager, consider using a passphrase. A passphrase is a more secure version of a password made up of four or more random words at least 14 characters long.
Read our guide on passphrases and password managers.
Sharing accounts can compromise security and makes it difficult to track malicious activity.
It can be hard to track the activity of a staff member or notice that cybercriminals are breaking in. It's best to create an account for each staff member. If you must use shared accounts, use multi-factor authentication and keep a list of who has access.
Remember to change the login details for shared accounts when staff change roles or leave the business.
Restricting user access can limit the damage caused by a cyber security incident.
By using access controls, you can limit the files, accounts, and systems a staff member has access to. If their computer or account has been breached, access controls can reduce damage to your business.
Ensure staff can access only what they need for their role and revoke access after they leave the business.
Protect your devices and information
Keeping your software up to date is one of the best ways to protect your business from a cyber attack.
Updates can fix security flaws in your operating system and other software. Regular updates will reduce the chance of a cybercriminal exploiting a known weakness to hack your device.
Update all devices, apps and software on your business network, and turn on automatic updates if you can. If they're too old to receive updates, consider upgrading to a newer product. Read our guidance on updates.
Regular backups can help you recover your information if it’s damaged, lost or stolen.
A backup is a digital copy of your information, which makes it possible to recover after a cyber attack. There are many backup methods, so find an option that’s right for your business.
Create a plan to back up your files regularly or turn on automatic backups. Read our advice and guidance on backups.
Security software such as antivirus and ransomware protection can help protect your devices.
It can scan for suspicious files and programs then remove them from your device. Many small businesses can stay protected with Windows Security. You can also use controlled folder access for protection against ransomware. For more options, read our advice on antivirus software.
If you're not sure which option is best for your business, seek help from an IT professional.
Protect your business from a cyber attack by fixing potential vulnerabilities.
- Update servers and network-attached storage devices regularly.
- Check and secure any internet-exposed services like Remote Desktop.
- Consider using online or cloud services that offer built-in security.
- Use strong passphrases to protect admin accounts.
- Secure your router by changing default passwords, enabling guest Wi-Fi, and using strong encryption.
- Understand your cyber supply chain and the risks of outsourcing services.
Seek help from an IT professional if needed.
Websites are a prime target for cyber attacks.
Protect your website login with MFA or a strong password. Create backups of your website and update its systems and plugins often. Read our advice on quick wins, setting up certificates and encryption, domain name system security, and denial-of-service attacks.
If an external party manages your website, talk to them about your options.
The data on your old devices could be accessed by strangers.
By not disposing of your devices securely, you may be exposing your emails, files and other business data to cybercriminals. Wipe all data on your old devices by doing a factory reset. If the information is very sensitive, you can seek help from an IT professional or data destruction service.
Read our guide on how to dispose of your device securely.
Restricting access to your business devices will reduce opportunities for malicious activity.
To prevent data theft and other cyber threats, limit access to your business devices. Keep them in secure places that only authorised staff can access. Secure them with a password, PIN, or biometrics and set them to automatically lock after a short time.
Read our advice on securing your mobile phone.
Data held by your business is an attractive target to cybercriminals.
To protect it, identify what data you have and where it’s stored. Store your data in a central location that is secure and backed up often. You should also be aware of your legal responsibility when handling personal information. Some small businesses may have extra legal obligations.
Read the OAIC's guide for small business or seek help from a legal professional.
Prepare your staff
Staff with good cyber security practices are your first line of defence against cyber attacks.
Teach your staff about cyber security. This includes common threats, protective measures, and how to respond to attacks. Provide time for regular training and make it part of the induction process for new staff.
Use our learn cyber security resources.
An emergency plan could reduce the impact of a cyber attack on your business.
When responding to a cyber security incident, every minute counts. Having a plan means you and your staff can act faster. Keep a hard copy in case your systems go offline.
Think about relevant threats, their impact to your business, and how you’ll respond. Consider who you would contact or how you would manage business as usual. Once you have a plan in place, use our exercise in a box to test it with your staff.
Become an ASD partner to receive the latest information from us.
Cybercriminals are constantly coming up with new ways to exploit vulnerabilities. To stay ahead of these threats, sign up for our free alert service. We’ll notify you whenever we identify a new threat or vulnerability.
Small businesses can apply to join our Partnership Program to access even more information.
Small business cyber security guide
Case Study: Business email compromise
A small construction business got an email from their supplier saying they had changed banks. The supplier gave them new account details for invoice payments. Thinking the email was genuine, the business didn't call the supplier to confirm.
The business then paid an invoice for over $70,000 to the supplier. The next day, a different employee paid the invoice again by mistake.
When the business rang their supplier to ask for a refund, they realised they had incorrect account details. After looking into it, the supplier noticed their email account had been hacked. The hacker had changed the account details to their own. In the end, the business was unable to recover more than $150,000.