Small business cybersecurity guide

Scams are a common way that cybercriminals target small businesses. Their goal is to scam you or your staff into:

• sending money or gift cards
• clicking on malicious links or attachments
• giving away sensitive information, such as passwords.

Cybercriminals may try and scam your business through email, text messages, phone calls and social media. They will often pretend to be a person or organisation you trust.

Phishing attacks

Of particular concern to small businesses are phishing attacks. These scams often contain a link to a fake website where you are encouraged to log in to an account or enter confidential details.

Phishing attacks typically compromise your account passwords. Cybercriminals often use this method to “takeover” the social media accounts of small businesses and hold them to ransom.

Ways to mitigate

If a message is from a known entity and seems suspicious, use caution. Contact the person or business separately to check if the message is legitimate. Use contact details you find through a legitimate source, for instance by visiting the business’s official website, and not those contained in the suspicious message. 

Learn more about identifying scams and phishing attacks with the following resources:

• Recognise and report scams
• Learn how to spot phishing scams
• Detecting Socially Engineered Messages

Case study

An employee at a courier company received an email from one of their Executive staff, asking that they purchase 6 x $500 MasterCard prepaid credit cards. The Executive told her to keep it confidential as the cards would be gift vouchers for staff members. Once purchased, the employee was asked to photograph both sides of the cards and send them through to the Executive as proof of purchase.

As instructed, the employee went to a post office and used her personal credit card to purchase the gift cards. She replied to the Executive’s email and sent through photos of the gift cards as proof.

After returning from the post office, the employee gave the physical cards to the Executive – who had no knowledge of them. On review, all emails about the gift cards came from a random email address and were not from the Executive’s legitimate email account. It had been a scam.

In addition to scams like phishing, a common email attack against small businesses is business email compromise (BEC). Criminals can impersonate business representatives by using compromised email accounts, or through other means – like using a domain name that looks similar to a real business. Aside from stealing information, the goal of these attacks is usually to scam victims into sending funds to a bank account operated by the scammer.

Ways to mitigate

The best defence against email attacks is training and awareness for your employees. Ensure your staff know to always be cautious of emails with the following:

• requests for payments, especially if urgent or overdue
• change of bank details
• an email address that doesn't look quite right, such as the domain name not exactly matching the supplier's company name.

While these attacks can be devastating, the mitigation measures are easy and cost almost nothing. When staff receive emails like this, the most effective mitigation is to call the sender to confirm they are legitimate. Do not use the contact details you have been sent as these could be fraudulent. Introduce a formal process for staff to follow when payment requests are received or bank details are changed.

Learn to protect your business from BEC scams and email compromise with the following resources:

• Business email compromise
• Protect your business from email fraud and compromise
• What to do if your business has been targeted by email fraud or compromise.

Case study

A small construction business received an email from their supplier saying they had changed banks. The supplier provided new account details for invoice payments. Because the email seemed legitimate, the construction business did not call the supplier to confirm the change in bank account details.

The business paid an invoice from the supplier for over $70,000. The following day, another employee mistakenly paid the same invoice again for an additional amount over $70,000. In total, over $150,000 was paid to the new bank account.

When the business rang their supplier to ask if they could refund the duplicate payment, the supplier advised those banking details were incorrect. An investigation was launched immediately, and the supplier discovered that one of their email accounts had been hacked and was sending out fraudulent bank account details. No funds were recovered.

Malware is a blanket term for malicious software designed to cause harm, such as ransomware, viruses, spyware and trojans. Malware can:

• steal or lock the files on your device
• steal your bank or credit card numbers
• steal your usernames and passwords
• take control of or spy on your computer.

Malware can stop your device from working properly, delete or corrupt your files, or allow others to access your personal or business information. If your device is infected with malware, you could be vulnerable to other attacks. The malware could also spread to other devices on your network.

Your device can be infected by malware in a number of ways, including:

• visiting websites that have been infected by malware
• downloading infected files or software from the internet
• opening infected email attachments.

Ransomware

Ransomware is a common and dangerous type of malware. It works by locking up or encrypting your files so you can no longer access them. A ransom, usually in the form of cryptocurrency, is demanded to restore access to the files. Cybercriminals might also threaten to publish or sell data online, unless a ransom is paid.

Ways to mitigate

While anti-virus or security software can help protect you from malware, no software is 100% effective. Staff must be vigilant with emails, websites and file downloads and regularly update their devices to stay secure.

See the following resources for more information on protecting your business from ransomware:

• Ransomware
• Protect yourself against ransomware attacks
• What to do if you're held to ransom.

Case study

Employees of an auto parts store came into work one morning and were not able to boot their server computer. When their IT provider got access to the server, they found a window open that said all the computer data had been encrypted. The note demanded they pay a ransom in bitcoin to unlock the files.

There was a backup drive plugged into the computer, which had also been encrypted. They tried to connect more backup drives, but the files were automatically encrypted within seconds. They had failed to remove the ransomware before attempting to recover their data and lost every backup file they had.

The only option left was to factory reset the server and start fresh with a new system. Their business lost many years of data and had to start over.

Multi-factor authentication (MFA) makes it harder for cybercriminals to access your accounts.

MFA adds another layer of security to your account. It is one of the most effective ways to protect your accounts from someone getting access, so you should use it wherever possible. Anyone who logs into your account will need to provide something else in addition to your username and password. This could be a unique code from a text message or an authenticator app.

For more information, read our advice on MFA.

Getting started

• You might already be using MFA on some accounts, but you should turn it on wherever you can.
• Start with your important accounts like email, banking, document storage and social media. 
• MFA is often set up through the security settings on your account. If you’re not sure how to set it up, read our advice on MFA or do a separate search online (for example, “facebook mfa”).  
• Some services may use a different name for MFA, such as “two-factor authentication” or “two-step verification”, so don’t be surprised by these terms in your search.  

✓ Turn on MFA wherever possible, starting with your most important accounts.

Protect your accounts from cybercriminals with a secure password or passphrase.

Many small businesses face cyberattacks as a result of poor password behaviours. For example, reusing the same password on multiple accounts. You can use both password managers and passphrases to create strong passwords.  

A password manager acts like a virtual safe for your passwords. You can use it to create and store strong, unique passwords for each of your accounts. If you have a lot of accounts, this removes the burden of remembering unique passwords. You don’t have to remember the passwords or the accounts they belong to, as it is all recorded in your password manager. 

For accounts that you sign into regularly, or that you otherwise don’t want to store in a password manager, consider using a passphrase as your password. Passphrases are a combination of random words, for example ‘crystal onion clay pretzel’. They are useful when you want a secure password that is easy to remember. Use a random mix of four or more words and keep it unique – do not reuse a passphrase across multiple accounts. For more information, read our advice on passphrases and password managers.

Getting started

• Find a password manager that’s right for your business. Do a search online for “password managers” and compare the security, quality and features of any products you are considering. If you are unsure, ask an IT professional or trusted advisor for a recommendation.  
• Protect your password manager by using MFA and a long, unique passphrase as your master password. Make your master password as strong as you can.
• Add your existing accounts into your password manager. Then, use the password manager to randomly generate new passwords which are at least 15 characters in length. Starting with your most important accounts, update the passwords to the new ones you have created with your password manager. 

✓ Use a password manager to create and store unique passwords or passphrases for each of your important accounts.  

Sharing accounts can compromise security and makes it difficult to track malicious activity.  

In a small business, there may be legitimate reasons why staff need to share accounts, but it should be avoided as much as possible. When multiple staff use the same account it can be hard to track activity back to a specific employee and even harder to track cybercriminals breaking in. Unless you change the password, employees could also continue accessing accounts even after they have left the business. 

Getting started 

• Where possible, create individual accounts for each staff member instead of sharing accounts. 
• Create and maintain a list of the shared accounts in your business and which staff have access to them. Consider where you could eliminate shared accounts or reduce the number of staff with access.
• Be mindful of how you share passwords and passphrases. Use secure communication methods, such as a password manager that will allow secure sharing of passwords (including passphrases) between staff. If your password manager does not have this feature, split the password across different communication methods.
• Remember to change the login details for shared accounts if a staff member leaves the business or changes roles.
• Use MFA on shared accounts where possible. Many services allow to you have MFA even if an account is shared on multiple devices. For example, you can have up to five devices connected to a single Instagram account and still use MFA to log in.  

✓ Limit the use of shared accounts and secure any that are used in your business. 

Restricting user access can limit the damage caused by a cybersecurity incident.

Access control is a way to limit access to certain files and systems. Typically, staff do not require full access to all data, accounts, and systems in a business. They should only be allowed to access what they need to perform their duties.

Restricting access will help limit the damage caused by a cybersecurity incident. For example, if a staff member’s computer is infected with ransomware, with proper access controls it might only affect a small number of files rather than the entire business.

Getting started

• Identify each user in your business and what they have access to. Decide if they have the appropriate access permissions for their role. Consider access to:
   
  • files and folders
  • databases
  • mailbox
  • applications
  • online accounts
  • networks.
     
• Implementing the principle of least privilege is typically the safest approach for most small businesses. Under this principle, users have the bare minimum permissions they need to perform their work. For example, not every staff member may need access to financial or HR files.
• Avoid giving staff administrator-level access on any devices or systems.
• Revoke access from staff who leave the business.
• Access controls might be managed by your IT provider or IT staff. Speak to them if you are unsure how to action this step.

✓ Ensure each user can access only what they need for their role. 

Keeping your software up-to-date is one of the best ways to protect your business from a cyberattack. 

Updates can fix security flaws in your operating system and other software, so that it is harder for a cybercriminal to break in. New flaws are discovered all the time, so don’t ignore prompts to update. Regularly updating your software will reduce the chance of a cybercriminal using a known weakness to run malware or hack your device. 

If your device or software is too old, then updates may not be available. If the manufacturer has stopped supporting the product with updates, you should consider upgrading to a newer product to stay secure. Examples of systems that no longer receive major updates are the iPhone 7 and Microsoft Windows 7. 

Getting started 

• Update all of your devices, apps and other software. This is often done through the Settings menu. If you need help, the ACSC has published guidance on updates.
• Where possible, turn on automatic updates. If this setting is not available, set a reminder to regularly check for updates. Try to schedule updates to occur outside of business hours to avoid disruptions. 
• Check that other devices in your business network are regularly updated, including servers and Network Attached Storage (NAS) devices if you have them. Speak to an IT professional if you are unsure.  

✓ Turn on automatic updates for your devices and software.

Regular backups can help you recover your information if it is lost or compromised.

Backing up important information should be a regular or automatic practice in your business. Without a regular backup, it could be impossible for you to recover your information after a cyberattack.

There are many methods and products you could use to back up your information. For detailed advice on backing up your business, read our advice for backups. The best option will vary for each business, so speak with an IT professional if you are unsure.

Getting started

• Create a plan or procedure for backing up your business. This will be different for every business. Your plan should answer the following questions:
  • What data is or is not backed up?
  • When do backups occur?
  • Where are the backups stored?
  • Who is responsible for managing the backups?
  • How long are the backups kept for?
  • How often are the backups tested?
     
• Think about everywhere your important information is stored. Are these locations included in your backup plan? For example, information held in your email or cloud accounts.
• Ask an IT professional if you need help creating your plan or setting up your backups.

✓ Create and implement a plan to regularly back up your information.

Security software such as anti-virus and ransomware protection can help protect your devices.

Use security software to detect and remove malware from your devices. Anti-virus software can be set up to regularly scan for suspicious files and programs. When a cyberthreat is found, you will receive an alert and the suspicious file will be quarantined or removed.

Many small businesses can use Windows Security to protect themselves from viruses and malware. Windows Security is built-in to Windows 10 and Windows 11 devices and includes free virus and cyberthreat protection. You can also use it to turn on ransomware protection features on your device.

For alternative products and options, read our advice on anti-virus software.

Getting started

• To learn more about Windows Security, search for “Windows Security” in your Start Menu. You should also visit Microsoft’s website for more information, including how to use controlled folder access for protection against ransomware.
• Ask an IT professional or trusted advisor for a recommendation if you’re not sure which security software is best for your business.
• Set up your security software to automatically do regular scans, for example every week.
• Familiarise yourself with your security software, including what a legitimate alert looks like. This will help you avoid scams that pretend to be your anti-virus software.

✓ Set up security software to complete regular scans on your devices. 

Protect your business from a cyberattack by addressing potential vulnerabilities in your network.

The devices and services in your network can be a prime target for cybercriminals. Many of these systems can be complex to secure, so discuss the following recommendations with an IT professional.

• Secure your servers: If you use a NAS or other server in your home or business, take extra care to secure them.  These devices are common targets for cybercriminals because they often store important files or perform important functions. There are many mitigation strategies required to protect these devices. For example, it's important to ensure any server or NAS devices are updated regularly. Administrative accounts should be secured with a strong passphrase or multi-factor authentication.
• Minimise external facing footprint: Audit and secure any internet exposed services on your network. This might include Remote Desktop, File Shares, Webmail and remote administration services. 
• Migrate to cloud services: Consider using online or cloud services that offer built-in security, instead of managing your own. For example, use online services for things like email or website hosting rather than running and securing these services yourself.
• Improve your router’s security: Follow our guidance on ways to secure your router, including updating default passwords, turning on “Guest” Wi-Fi for customers or visitors, and using the strongest encryption protocols.
• Understand your cyber supply chain: Modern businesses often outsource multiple services. For example, using a Managed Service Provider to maintain their IT. Security issues with these services or providers could have a significant impact to your business. For detailed advice on cyber supply chain risk management read our Cyber Supply Chain Guidance

✓ Speak to an IT professional about ways to secure your network. 

Websites are a prime target for cyberattacks.

Protect your website from being hijacked by following some basic security measures:

• secure your website login with multi-factor authentication or a strong password
• regularly update your website’s content management systems and plugins
• back up your website regularly so you can restore it after a cyberattack.

The ACSC has additional resources available for website owners

• Quick Wins for your Website
• Implementing Certificates, TLS, HTTPS and Opportunistic TLS
• Domain Name System Security for Domain Owners
• Preparing for and Responding to Denial-of-Service Attacks

Getting started

• Set up auto-renewal for your website’s domain name.
• If an external party manages or develops your website, speak with them about ways to improve your website security.

✓ Read through the ACSC resources on website security. 

The data on your old devices could be accessed by strangers.

If you do not dispose of your devices securely, cybercriminals could access the information on it. This could include emails, files and other business data. Remove all information from your business devices before selling, trading or throwing them away. For example, by doing a factory reset. This will help wipe any information and restore the device to its original settings.

For advice on resetting your devices, read our guidance on how to dispose of your device securely.

Getting started

• Even when following the right steps, your information may still be able to be recovered. If the information on your device is particularly sensitive, you should consider using a data destruction service or asking an IT professional to help you dispose of it securely.

✓ Perform a factory reset before selling or disposing of business devices.  

Restricting access to your business devices will reduce opportunities for malicious activity.

Limiting physical access to your business devices is a simple way to prevent data being stolen or other malicious activity. Business devices should not be kept where unauthorised staff or members of the public could access them.

Use security controls to further protect your business devices. At a minimum, they should be locked with a passphrase, PIN or biometrics. Ensure these devices are set to automatically lock after a short period of inactivity.

Getting started

• For security tips for mobile devices, including remote tracking features and encryption, read our advice on securing mobile phones.

✓ Configure devices to automatically lock after a short time of inactivity.

Data held by your business is an attractive target to cybercriminals.

Data breaches are on the rise – don’t let your business fall victim. It’s important to understand what data your business holds, and in what locations. Once you’re aware, use the recommendations in this guide to help protect your data from being accessed by cybercriminals. Some small businesses may also have additional obligations under legislation.

• Consolidate your business data. You might have data stored across numerous devices or services. When data is decentralised, it increases the number of systems you have to keep secure and backed up. Numerous systems can also create more opportunities for a cybercriminal to attack. Where possible, store your business data in a central location that is secure and backed up regularly. Centralising your data can create a bigger breach if your systems are compromised, so ensure this central location is adequately protected with secure configurations and restricted access. Speak to an IT or cybersecurity professional for advice.
• Know your obligations for protecting data. Some small businesses may have legal obligations for handling personal information they collect. Read the Office of the Australian Information Commissioner’s guide for small businesses to learn more. Consult with a legal professional if you are unsure.

✓ Understand the data your business holds and your responsibilities to protect it. 

Employees with good cybersecurity practices are your first line of defence against cyberattacks.

Your employees should have an awareness of cybersecurity, including the following topics:

• common cyberthreats such as business email compromise and ransomware
• protective measures including strong passwords or passphrases, MFA and software updates
• how to spot scams and phishing attacks
• business specific policies (for example, processes for reporting suspicious emails or for validating invoices are genuine before paying)
• what to do in an emergency.

ASD's ACSC website has resources for most of these topics at cyber.gov.au/learn. You might consider other ways of educating your employees, for example with a formal course or internal training. However you decide, remember that cybersecurity training isn’t a once-off requirement and should be refreshed periodically.

Getting started

• Set time aside for your employees to focus on cybersecurity training, or organise a course for everyone to attend.
• Encourage employees to visit cyber.gov.au/learn and work through the modules and quizzes.
• Consider adding cybersecurity training or practices into the induction process for new employees.
• Encourage positive security habits in your staff to build a positive security culture in your business. You might do this by offering rewards or finding ways to make security processes easier. For example, rewarding staff who identify phishing emails or providing a password manager for your staff to use.

✓ Determine how cybersecurity awareness will be taught in your business. 

An emergency plan could reduce the impact of a cyberattack on your business.

When responding to a cybersecurity incident, every minute accounts. Having an emergency plan means your staff can spend less time figuring out what to do and more time taking action.

Consider the following questions when creating your emergency plan:

• What is the process for your staff to report potential cybersecurity incidents?
• Who do you contact for assistance? For example, IT professionals and your bank.
• How will the incident be communicated to your staff, stakeholders, or customers?
• How will you manage business as usual, if any critical systems are offline?

Make sure your staff are familiar with the emergency plan, including any roles or responsibilities they may have. Maintain a hard copy of the plan in case your systems are offline when you need it.

Getting started

• Think about relevant cyberthreats to your business, such as ransomware and business email compromise. Consider how different cyberthreats could affect your business and how you should respond to each scenario.
• Create a plan that addresses the above questions. For example, a contact list with names and numbers of people who can help you recover from an incident.
• For more guidance, read ASD's ACSC’s advice on cybersecurity incident response planning for executives and cybersecurity incident response planning for practitioners.
• Use ASD's ACSC’s Exercise in a Box to test your emergency plan in a safe environment.

✓ Create an emergency plan for cybersecurity incidents.

Become an ASD's ACSC partner to receive the latest information from the ACSC.

Stay informed of the latest cyberthreats and vulnerabilities by becoming an ACSC partner. This service will send you monthly newsletters and alerts when a new cyberthreat is identified.

Cybersecurity is a rapidly evolving field. Cybercriminals actively exploit vulnerabilities within minutes of their discovery. Staying informed of the cybersecurity landscape will help your business to understand the cyberthreats it is likely to face and how to protect against them.