How to protect your small business from cyber attacks

Australian small businesses are falling victim to cyber attackers at an alarming rate. Before you click that next link or open that next email, here’s what you need to do to secure your digital environment. 

Cyber attacks are costing Australian businesses $29 billion a year, and according to a 2019 Accenture study, 43 per cent of those attacks are directed at small businesses. But despite being in the firing line, only 14 per cent of small businesses are prepared for an attack. 

Not only can a cyber breach interrupt the operations of your business and cost you a significant amount of money, but if sensitive customer data is stolen, it can ruin your brand’s reputation and have devastating long-term effects – both for your business and for your customers. 

As the world becomes more connected, the threat vectors available to cyber criminals increase, and the risk to your business rises. However, there are measures you can put in place to protect yourself. 

Cyber Health, the free cyber security program powered by CCIQ and REDD and funded by the Department of Industry, Science, Energy & Resources, recently held a workshop at the Brisbane Business Hub to discuss ways to combat cyber security risks to small businesses. 

Here are a few actions you can take and improvements you can make to start securing your business today.  

Stay up to date 

When it comes to cyber security, there’s no such thing as ‘set and forget’. Cyber attackers are constantly on the lookout for known weaknesses and vulnerabilities to take advantage of, so vendors regularly release updated versions of their software to address these problems as they arise. 

The recent Microsoft Exchange attack, for instance, saw hackers pile on to an identified vulnerability and compromise at least 30,000 email systems before it was closed. Whether it’s your content management system (CMS), operating system (OS) or any application your business uses, be sure to stay up to date with security hot fixes and patches, and turn on automatic updates if they’re available. 

It’s particularly important that you’re running up-to-date antivirus software that can automatically detect, quarantine and remove malicious threats to your system. Antivirus software relies on detecting ‘signatures’ – known patterns that identify code as malware – so it’s crucial to stay up to date to ensure you’re protected against the latest threats. 

Use strong passwords 

Develop strong password guidelines for your company that balance security with usability. 

The National Institute of Standards and Technology (NIST) recommends passwords with a minimum length of eight characters, and encourages users to go all the way up to 64 characters. But complexity isn’t everything – the NIST also says that overly complex passwords can lead to users forgetting them and setting weaker ones instead. 

Similarly, while it has been considered best practice to require users to change passwords every few months, the NIST no longer recommends this. It’s now believed that enforcing reset periods can be more detrimental than constructive, because users struggle to come up with strong new passwords on a regular basis. 

According to the NIST, you should limit the maximum number of attempts a user can make to enter their password to 10 – that should be enough attempts to avoid a genuinely forgetful user being locked out, but not so many that it’s open season for brute-force hackers who are testing a wide range of combinations until they chance upon the correct login. 

And rather than using the same passwords across all sites and devices, you can use a password manager, essentially a virtual book of passwords that requires a ‘master key’ to access. This will store your organisation’s passwords and help you generate stronger, more secure logins.

Implement multi-factor authentication 

Passwords are a good start, but you should also put additional security measures in place. 

Multi-factor authentication (MFA) is a process that requires at least two pieces of information to verify a user’s identity, minimising the risk of a cyber attacker gaining access to your network by obtaining a username and password. 

Authentication categories can include something you know, something you have, and something you are

Something you know could be a password, or it could be a pre-established answer to a secret question. 

Something you have could be a physical token, like a smart card or a key fob, or it could be a software-based token, in the form of a single-use verification code sent via SMS or email. 

Finally, something you are could include biometric identification of your eyes, fingerprints, face, voice, signature or keystroke. If your mind immediately jumped to high-tech, high-security facilities in movies when you heard the word ‘biometric’, keep in mind that the fingerprint scanner you use to sign in to your phone dozens – or hundreds – of times a day is a form of biometric identification. 

By using at least two of these forms of authentication in conjunction with each other, you can make a hacker’s life much harder. 

Utilise firewalls and VPNs 

A firewall monitors incoming and outgoing traffic, and blocks or allows that traffic based on a defined set of security rules. It cuts off attack vectors by blocking malicious users before they can enter your system, and restricting unnecessary outbound communications. 

You should consider installing a router or modem-based firewall for your corporate network, as well as installing host-based firewalls directly on wireless devices that access your network. That way, even if your network is compromised, you’ll have an extra layer of protection on each device. 

Similarly, with a drastic rise in cybercrime since the onset of COVID-19, it’s important to make sure employees are able to connect securely to the office when they’re working remotely. They can do this by connecting through a Virtual Private Network (VPN), which encrypts communications at the sending and receiving ends and keeps out any traffic that isn’t properly encrypted. 

If your organisation has a VPN, you should require your employees to log into it anytime they need to use a public wireless access point. 

Be on guard against suspicious emails 

No matter how secure your perimeter is, it isn’t guaranteed to protect you from cybercriminals. You’ll also need to provide cybersecurity awareness training for the people in your organisation, so they can form good security habits and are informed about how to spot common methods of attack. 

Phishing emails, for instance, are a popular method for attackers to steal sensitive information, including business passwords, and install malware on your devices. Phishing emails are fraudulent emails that are designed to look like they come from a real person, business, government agency or financial institution, often by using addresses with a slight variation in spelling or a different domain name. 

If you’re not sure if an email is legitimate, you should verify it by contacting the sender directly through another means. Until you get that confirmation, don’t click on any links in the email, don’t open any attachments, and don’t provide the sender with any information. 

You can stay on top of the latest phishing trends and techniques by following the Anti-Phishing Working Group, and subscribing to the Australian Cyber Security Centre’s (ACSC) alert service

Back up and encrypt your data 

Frequently backup your system and any important files you have, verify those backups regularly, and store them on a separate device that can’t be accessed from a network, like an external hard drive. 

That way, if attackers gain access to your network and encrypt your data, and demand a ransom for its return, you can instead restore your system to its previous state by using your backups – no ransom required. 

It’s also recommended that you protect your data using high-standard encryption – at least 256 AES, for both data at rest (data stored on a hard drive, device, or archived in some other way) and data in motion (data actively moving from one location to another, either across the internet or through a private network). 

Encrypting your files will prevent attackers from being able to access them without an encryption key, making your data virtually worthless to a cybercriminal who might otherwise have used it to steal intellectual property, extort your business or access your customers’ private information. 

If you become aware that your data has been compromised, make sure to contact anyone affected, including staff, colleagues, family and friends, as well as your legal provider, who can help you to contact your customers, clients and suppliers. 

You should also report the breach to the ACSC, and if you’re required to do so under law, to the Office of the Australian Information Commissioner

Get a Cyber Health check 

Want to know how your cyber security measures up? Cyber Health offers a free assessment tool, powered by BrightREDD, that benchmarks your business against industry standards for password governance, business continuity plans, data storage policies, and employer and employee obligations. 

Once your assessment is completed, you’ll be sent a free report with detailed insights to help identify areas of improvement for your business and enhance your cyber security. If your results indicate your organisation needs a boost, you’ll be eligible for a deep dive vulnerability audit performed by certified cyber security professionals, to fix and close off any critical exploitable weaknesses in your business’ digital environment. 

To use the free assessment tool, and for more information on how to protect your business from cyber attacks, visit

Written By

Brisbane Business Hub



Business Strategy


Get our latest news and advice delivered straight to your inbox, once a month.

    Our Partner