Reference: Australian Cyber Security Centre (ACSC)

For a small business, a cyber security incident can have devastating impacts. In this article, we have summarised a guide developed by ACSC to help small businesses protect themselves from the most common cyber security incidents.

Unfortunately, the ACSC sees the impact of cyber security incidents each and every day, on individuals, large companies, and small businesses alike.

Luckily, cyber security doesn’t have to be difficult. There are three key areas that if understood and implemented, can significantly avoid, or reduce the impact of, the most common cyber security incidents:

#1 Cyber Threats

This section is designed to help small businesses stay alert and prepared. It identifies and explains the most common types of cyber threats and what you can do to protect your business.

Malicious Software (Malware)

Malware is a term that describes many different types of software designed to cause harm. Malware can include:

  • Ransomware
  • Viruses
  • Trojans
  • Spyware
  • Worms
  • And more

Malware gains access to important information such as bank or credit card numbers and passwords. It can also take control or spy on a user’s computer.

Protections against malware include:

  • Automatically update your operating system
  • Automatically update your software applications
  • Regularly back up your business’ data

Scam Emails (Phishing)

Phishing is ‘Dodgy’ emails designed to trick recipients out of money and data. These can be emails from individuals or organisations you ‘think’ you know. They mimic phrasing, branding, and logos to appear ‘real’, before conning users to click on a link or attachment.

They defraud users by asking them to provide or confirm their personal information, such as passwords and credit card numbers, or to pay a fake account. They can also send an attachment, designed to look genuine, with malware inside

Where does phishing come from?

  • Email
  • SMS
  • Instant messaging
  • Social media


Ransomware is malware that locks down your computer and files until a ransom is paid. Ransomware attacks are typically carried out via a malicious but legitimate-looking email link or attachment. When downloaded or opened, most ransomware encrypts a user’s files, then demands a ransom to restore access.

You should never pay a ransom because you are not guaranteed to regain access and may be vulnerable to a second attack.

Ways to prevent and recover from ransomware:

  • Update operating systems
  • Update software
  • Back up your business data

#2 Software Consideration

Securely organising your software can drastically increase your protection from the most common types of cyber threats.

Automatic Updates

An update is a new, improved or safer version of a software (program, app, or operating system, like Microsoft Windows or Apple iOS) that your business has installed on its computers or mobile devices.

An automatic update is a default or ‘set and forget’ system that updates your software as soon as one is available.

Updating your systems promptly provides:

  • Better online security
  • Improved protection from loss of money, data, and identity
  • Enhanced features and efficiencies for programs and app

Automatic Backups

Backups are a digital copy of your company’s most important information that is retained on a different device or physical location. These days, backups are often made on a scheduled and automated basis to a secure location in the cloud.

Why are backups important?

  • Quicker and easier to get your business back up and running if the information is lost, stolen, or destroyed
  • Protects credibility of your business and help meets legal obligations
  • Peace of mind that you are always protected so you can focus your business efforts that deliver value

Multi-Factor Authentication

Multi-factor authentication (MFA) is a security measure that requires two or more proofs of identity to grant you access to an account or web service.

MFA typically requires a combination of something the user knows (pin, secret question), physically possesses (card, token), or inherently possesses (fingerprint, retina).

Small businesses should implement MFA wherever possible. Some MFA options include, but are not limited to:

  • Physical token
  • Random pin
  • Biometrics/ fingerprint
  • Authenticator app
  • Email
  • SMS

#3 People & Procedures

Businesses, no matter how small, need to be aware of and consciously apply cyber security measures at every level.

Given small businesses often lack the resources for dedicated IT staff, it’s important to understand how you can manage who can access, and who can control your business’ information, and the training of your staff.

Access Control

Access control is a way to limit access to a computing system or cloud account. It allows business owners to:

  • Decide who they would like to give access privileges to
  • Determine which roles require what access
  • Enforce staff access control limits

Quick wins for implementing access control:

  • Restrict administrator privileges
  • Do not share passphrases
  • Remember to revoke accounts when people leave


Using a phrase or sentence, not one word, as your password can increase your account security.

A passphrase is similar to a password. It is used to verify access to a computer system, program, or service.

Passphrases are most effective when they are:

  • Used with multi-factor authentication
  • Unique – not a famous phrase or lyric, and not re-used
  • Longer – phrases are generally longer than words
  • Complex – naturally occurring in a sentence with uppercase, symbols, and punctuation
  • Easy to remember – saves you from being locked out

Employee Training

Training on cyber security awareness is education to protect your staff and business against cyber threats.

A cyber security incident response plan can help to change the habits and behaviours of staff and create a sense of shared accountability in keeping your small business safe.

Quick wins for employee training are:

  • Incorporate, update, and regularly repeat
  • Create a cyber security incident response plan
  • Reward employees who find threats
  • Create a cyber security culture

Need Help Implementing Your Cyber Security Plan?

You can download a full version of the ACSC Small Business Cyber Security Guide here. An integral factor in our company's purpose is to empower SMBs to be more secure with their technology so we invite you to reach out if you require further assistance implementing these recommendations.

Contact us today to learn more. Call (02) 9114 9920 or reach out online.