The essential small business guide to cybersecurity

Coworkers with smart devices working around a table

Cybersecurity can seem daunting, but luckily it doesn’t have to be difficult. Good cybersecurity practices allow small businesses to grow, innovate, and find new ways of creating value for their customers.

Prevention is essential when it comes to cybersecurity. Protective measures can be simple, cost-effective and immediately beneficial.

Cybercrime is on the rise. During the 2020–21 financial year, the Australian Cyber Security Centre (ACSC) received over 67,500 cybercrime reports, or in simpler terms: one cyber attack report every 8 minutes. For small businesses, the average financial loss was $8,899 per cybercrime report, while for medium-sized businesses this figure was $33,442 per report (ACSC Annual Cyber Threat Report 2020–21).

During 2020 and 2021, COVID-themed scams were common as cybercriminals sought to target Australians’ desire for digitally accessible information or services. Cybercriminals seek to take advantage of people’s concern and goodwill around natural disasters (such as the 2019–20 Australian bushfires) and significant news events. Scams also focus on seasonal markers such as Christmas and tax time.

In this article, we will talk you through some of the most common cybersecurity issues that small businesses face, as well as some of the key things you can do now to keep your business safe.

This draws from the ACSC Small Business Cyber Security Guide – which has been designed for small businesses to understand, take action, and increase their cybersecurity resilience against evolving cybersecurity threats – as well as referencing a range of other resources and alerts available on

What is a cyber attack?

ACSC defines a cyber attack as a deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computers or networks, or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity.

Note: There are multiple global definitions of what constitutes a cyber attack.

When are cyber attacks most likely to take place?

Cybercriminals are constantly taking advantage of weaknesses in our devices and software so they can steal data and money. A cyber attack can take place at any time, so the more you can do to protect your networks, the less likely you are to fall victim.

Cybercriminals take advantage of crises (such as the COVID-19 pandemic), natural disasters and seasonal events such as Christmas, end-of-financial sales and tax time to distribute themed scams. Pay particular attention to communications you receive during this time as they may not be legitimate.

The ACSC warns that cybercriminals never turn off, and urges Australians to ‘Act now, stay secure’ by accessing easy-to-follow cybersecurity advice to protect against common online threats and cybercrime.

What are some of the most common or significant cyber threats for small businesses?

The most common or significant cyber threats are:

  • malicious software (malware)
  • ransomware (a type of malware)
  • phishing (scam messages)
  • business email compromise


Malware is malicious or harmful software such as viruses, spyware, trojans and worms. Malware gains access to important information such as bank or credit card numbers and passwords. It can also take control over or spy on a user’s computer.

Malware is often distributed via phishing emails, remote access (where someone gains access to your computer remotely), or by exploiting vulnerabilities in applications or software.

Here’s how to protect yourself against malware (including ransomware):

  • automatically update your operating systems, software and apps
  • back up your data often
  • train your staff to recognise suspicious links and attachments
  • regularly check and secure your network and devices, including servers if you have them


Ransomware is a type of malware that encrypts or locks up your files so that you can no longer use or access them. Cybercriminals deploy ransomware and demand payment (usually in the form of untraceable cryptocurrency such as Bitcoin) to restore access to the files, or to prevent data from being leaked or sold online.

Ransomware is low-risk, high-reward for cybercriminals. It is easy to develop and distribute. There are also ready-made ransomware packages available on the ‘dark web’ for cybercriminals to instantly deploy.

While ransomware-related cybercrime represents a relatively small number of the overall cybercrimes reported to the ACSC in 2020–21, it remains a significant threat due to its high financial impact and disruptive impacts to victims and the wider community. It is also on the rise, with the ACSC Annual Cyber Threat Report 2020–21 outlining a 15% increase in ransomware reports over the previous financial year.

The ACSC advises to never pay a ransom. Paying a ransom does not guarantee your files will be restored, nor does it prevent the publication of any stolen data or its sale for use in other crimes. You may also be targeted by another attack.

Read: Examples of ransomware incidents.

Phishing messages

Phishing messages are scams that are made to appear as if they were sent from individuals or organisations you think you know or think you should trust. Phishing is discussed in more detail below.

Business Email Compromise (BEC)

In a BEC scam, cybercriminals will send fraudulent emails posing as a real business contact or staff member. These emails typically request a change in bank account details for wages (for example, if impersonating a staff member) or future invoice payments (for example, if impersonating a supplier). They may also request goods.

These fraudulent emails may come from hacked email accounts, or cybercriminals might register website names that are similar to real companies (typically by swapping letters or adding more characters).

BEC continues to present a major threat to Australian businesses.

The ACSC has observed an increase in BEC activity targeting the construction sector and professions involved in property transactions (for instance, real estate agents and lawyers).

How to protect yourself against BEC

This trend has potential for significant financial and reputational harm, but there are some easy steps you can take to protect your business from BEC scams. The ACSC recommends that you:

  • Verify payment details: Take care to confirm requested changes to details, for instance by calling the sender’s established phone number.
  • Make employees aware: Ensure employees are trained to spot suspicious emails, including requests to change bank account details. Be aware of emails linking to fake websites, as these could be trying to capture passwords.
  • Secure email accounts: Use multi-factor authentication, and if that is not possible then use a strong, unique passphrase on email accounts to help prevent unauthorised access.

Review the ACSC’s Email Security page for further information and practical guides to assist you.

What are the tell-tale signs of scam messages?

Scam or ‘phishing’ messages use phrasing, branding and logos to appear real, with the aim of tricking users to click on a link or attachment.

Scam messages can be sent via email, SMS, instant messaging, or social media platforms. They aim to trick users into providing or confirming confidential information – such as passwords and credit card numbers – or paying an invoice for a fake account. They can also send an attachment, designed to look genuine, with malware inside.

It used to be easy to recognise and ignore a phishing email because it was badly written or contained spelling errors, but current phishing messages can appear more genuine. It can be very difficult to distinguish these malicious messages from genuine communications.

Be cautious of:

  • requests for money, especially if urgent or overdue
  • requests to log in to a website to correct a problem or to access an unexpected document
  • attachments

Consider the following questions: were you expecting this contact from the company or individual? If not, be very cautious about following directions or clicking the links. If so (for example, a courier message when you are expecting a package), consider if the message is personalised or generic. If the message is generic, this could indicate it has been sent to multiple recipients rather than you alone, which could indicate a scam.

Reputable organisations should not call, SMS or email to verify or update your information.

What to do: If a message or phone call seems suspicious, contact the person or business separately to check if they have made contact. Never use the contact details provided in the suspicious message – use contact details you find through a legitimate source, such as the company’s official website.

Scamwatch provides information on current scams, and many companies also have security pages that identify active scams using their branding.

Take the short ACSC phishing quiz to view some useful tips and see if you can spot a phishing message.

What are the tell-tale signs of phone scams?

Phone scams have been on the rise. Scammers call or text people and claim to be from well-known businesses or government agencies to steal people’s personal information for financial gain. From January to September 2021, Scamwatch received 213,000 reports of scams, over half of which (113,000) were related to phone scams.

Scammers can claim to be from large companies, delivery organisations, law enforcement agencies or other Government agencies such as the Australian Taxation Office.

Phone scammers may claim a scenario such as the following:

  • that a large purchase has been made on your card or account – they may offer to assist you with processing a refund.
  • that there is something wrong with your computer or internet connection – they need remote access to assist you.
  • that you have a tax bill or outstanding warrant for your arrest, requiring immediate action.

They may threaten you if you do not follow their directions (threat-based impersonation scams).

Never allow a caller to lead you into downloading an application – such as Team Viewer or Zoho Assist – so they can ‘assist’ you with the stated issue. This will set up remote access to your computer and enable them to steal confidential information or install malicious software.

Never give your credit card or online account details over the phone unless you made the call and you’re using a phone number from the trusted source, like the organisation’s official website.

The phone number from the scammer could appear to be coming from a legitimate organisation, as scammers can mimic a local number to conceal their identity.

If you’re in doubt about a call claiming to be from a Government agency or Australian business and want to verify its legitimacy, hang up and contact the organisation by sourcing their details separately from their website – do not using the phone number or other details from the incoming call.

Top cybersecurity tips to safeguard your small business

This is not exhaustive. Please review the links and additional resources for more information and tips.

1. Update your operating system and software

Much like a thief attempting to break into a home, cybercriminals will always look for the easiest way in. When your software is not up to date, it’s like leaving a window unlocked. By always updating software, you’re essentially plugging any gaps the cybercriminals might try and get in through.

Keeping your computer and applications up-to-date is one of the best ways to protect yourself from a cybersecurity incident. Regularly updating your software will reduce the chance of a cybercriminal using a known weakness to run malware or hack your device.

Turn on automatic updates to make sure you’re always using the most secure version. Updates are an important part of keeping your devices and your data safe and setting up automatic updates will save you time and worry.

If you receive a prompt to update your computer, phone, apps, or other software, you should install the update as soon as possible.

If you’re not sure how to set up automatic updates, you can find easy step-by-step guides on

2. Enable Multi-factor authentication (MFA) for all your accounts

MFA is a security measure that requires two or more proofs of identity to grant access to your accounts. It typically requires a combination of:

  • something you know (password/passphrase, PIN, secret question)
  • something you physically possess (smartcard, physical token, authenticator app)
  • something you inherently possess (fingerprint or other biometric such as retina pattern)

Enable MFA on all your accounts, starting with the most important ones:

  • email accounts
  • online banking and sites with payment details
  • social media

You may also hear the term 2-factor authentication (2FA), which uses two proofs, as this is the most common type of MFA. MFA is one of the most effective ways to protect against unauthorised access to your accounts. Criminals might steal or guess one proof of identity (such as your PIN or password), but they still need the other proofs of identity to access your account.

Review the Step-by-Step guides for instructions on how to set up 2FA on different accounts.

3. Backup your key data

A backup is a digital copy of your most important information that you have saved to an external storage device or to the cloud. Back up your data regularly so it is accessible if it is ever lost, stolen or damaged.

Think about whether you could afford to lose your data. What would this do to you financially and operationally? What would this do to your reputation? Backups will allow your business to recover from a cyber incident (such as ransomware) and will help to minimise downtime.


  • set up an automatic backup system to regularly back up your important data
  • choose a backup system that’s right for your business
  • test your backups regularly by attempting to restore data
  • always keep at least one backup disconnected from your device, preferably at an offsite location in case of natural disasters or theft.

Review the Step-by-Step guides for instructions on how to backup and restore your files.

4. Use passphrases where MFA is not possible

Using MFA is the most effective way to protect your accounts from unauthorised access. However, if any of your accounts do not support MFA, then having a unique, strong passphrase becomes even more important to protect your account. This will offer better protection compared to a simple password.

Passphrases use 4 or more random words as your password. Compared to a password, passphrases are more secure and easier to remember. Create a unique passphrase for your accounts and devices that do not support MFA. Consider using a password manager to help store your passwords and passphrases.

5. Regularly conduct employee training

Cybersecurity is not all about IT and technical controls. Your employees are one of the first and last lines of defence – and one of the most important – in protecting your business from cybersecurity threats.

Regular education and cyber awareness training are critical to protecting your staff and business against cyber threats. Cybersecurity is continuously evolving, so keeping everybody up to date could be the difference between whether or not a criminal accesses your money or data.

Create a positive cybersecurity culture and encourage regular discussions – where staff feel empowered to come forward even if they suspect they were fooled by a suspect link. The sooner a possible issue is discovered, the sooner you can investigate and take remedial steps if required.

Set up a cybersecurity emergency plan in case you ever need to respond to a cybersecurity incident. This can help to change the habits and behaviours of staff and create a sense of shared accountability in keeping your small business safe.

6. Implement access control processes

Access control is a process to manage who can access what within your business computer systems. The principle of ‘least privilege’ is often the safest approach for small businesses, as it gives users the bare minimum permissions they need to perform their work. For example, restrict administrator (full access) privileges on user accounts.

Administrator accounts are the ‘keys to the kingdom’, as they give a user full control of the computer. Cybercriminals will target administrator accounts in order to take full control of a user’s computer. By not using an administrator account for everyday use you will help limit what a virus can access if your computer becomes infected.

7. Prioritise your personal cybersecurity

Importantly, also consider your own online footprint. What you do in your personal cyberspace can flow on to affect your business.

Personal cybersecurity is the continuing steps you can take to protect your accounts and devices from cyber threats.

Think about the information you are placing online and the privacy controls you have in place. For instance, cybercriminals can use publicly available information to try to build trust or impersonate you or a colleague. This can lead to attempts to infiltrate your networks or engineer payment of a false account. The more information a cybercriminal can discover from public sources, the more convincing a potential scam can be.

Protecting privacy and data on your own devices and platforms can be as important for your business as it is to you personally.

Additional cybersecurity resources

Cybersecurity is a matter for anyone who connects online, personally and professionally. We can all contribute to protecting ourselves, our businesses and our community by following these easy steps. Refer to the resources below on for more tips and guidance.

What to do if you have fallen victim to cyber attack

Protect yourself from cyber attack

The ACSC’s Small Business Cyber Security Guide was developed to help small businesses protect themselves from the most common cybersecurity incidents. There are simple measures that can significantly avoid, or reduce the impact of, the most common cybersecurity incidents. The Small Business Cyber Security Guide is complemented by Step-by-Step Guides and Quick Wins:

  • The Step-by-Step guides detail basic cybersecurity instructions on topics such as how to enable multi-factor authentication, how to turn on automatic updates and how to backup your data.
  • The Quick Wins documents are designed to inform users about technology issues that impact cybersecurity, with a brief overview of the topic – such as websites, portable devices, and end of support.

See the Small and Medium Businesses section of for useful links and information.

See Email Security for information on how to protect yourself, your business and employees from an email security incident, including Protecting your business from email fraud and compromise.

See Protecting your business online for useful guidance on how to manage online activities.

Follow ACSC on socials

Follow the ACSC on Twitter and Facebook to see the latest content and find practical information about how to improve your cybersecurity.