6 steps to protect your business against a cyber attack

Every day Australian businesses are suffering from cyber attacks.

Hackers aren’t just targeting big companies either – the increasing digitisation of small businesses means that they are vulnerable too. In fact, small businesses are attractive targets because they most likely don’t have enterprise grade security to protect them.

Often small businesses play a pivotal part in a supply chain, meaning that they can act as a springboard for attackers to get into larger organisations that are also part of that supply chain.

A study by Cisco in September 2021 found 65% of Australian SMBs suffered a cyber incident in the past 12 months. Two out of three say cyber incidents in the past year cost their business $645K or more.

Malware was the most prevalent cyber threat experienced, affecting 88% of Australian SMBs. Scamwatch also reported that between January and March 2021, there have been 14,226 reports of phishing with a revenue loss of $659,517.

Theresa Matthews, the owner of the Mogo Lolly Shop, is just one of the many small businesses that has suffered a cyber attack,

“In 2019, on the day of the bushfires, I hadn’t even thought to turn our website off. And during that day, while we were fleeing from the bushfires, I was unaware that our website had had had 436 attacks on our website. My emails were flooded with all these notifications that there were website hacking attempts happening to our website, and they were repeatedly being blocked. I went into a panic state.”

The Australian Cyber Security Centre offers a guide to help small businesses protect themselves from cyber attacks. The main takeaway is that many steps are not time consuming or need specialist technical knowledge.

Here are 6 measures you can take to help prevent common cyber security incidents.

1. Automatically update your software

• If you receive a prompt to update your operating system, other software or apps, install the update as soon as possible.
• Set a convenient time for automatic updates (eg in the middle of the night) to avoid disruptions to business as usual.

2. Manage who can access what within your business

• Only provide a team member with the minimum permissions required for them to do their work. For instance, a social media manager may only require Editor rights to your Facebook and Instagram account, and not full Admin rights.
• Do not share accounts or passphrases/passwords between staff.
• Remember to delete accounts and/or change passphrases/passwords when an employee or contractor leaves the business.

3. Install Multi-factor authentication

Multi factor authentication (or 2 factor authentication) is a security measure that requires two or more proofs of identity to grant you access.

Multi-factor authentication (MFA) typically requires a combination of:

• something you know (password/passphrase, PIN, secret question)
• something you have (smartcard, physical token, authenticator app)
• something you are (fingerprint or other biometric).

MFA is one of the most effective ways to protect your valuable information and accounts.

It is particularly important for financial accounts and email accounts.

4. Use passphrases instead of passwords

Passphrases use four or more random words as your password. They are most effective when they are long, unpredictable and unique.

For instance, the password ‘Billygoat’ is not very secure. The passphrase “TheThreeBillyGoatsGruff” is better, but “BillyGoatsEatHomeRainbows” is most secure. Even better add symbols, capital letters, or numbers to make the passphrase more complex eg “3BillyGoalsEatHomeRainbows!”

Also consider using a password manager like LastPass or OnePassword to store passphrases.

Having a unique passphrase for every valuable account may get overwhelming; however, using a password manager to save your passphrases will mean you don’t have to remember which passphrase goes where.

Obviously ensure that any password manager you use is protected with its own strong passphrase.

5. Regularly backup your data

• Consider what you can afford to lose in a worst case scenario to help guide requirements such as how often you backup your data.
• Keep at least one backup disconnected from your device, preferably at an offsite location in case of natural disasters or theft.
• Test your backups regularly by attempting to restore data

6. Train your staff in cyber security basics

Your staff can be the first and first and last line of defence against cyber security threats.

Training can change the habits and behaviour of staff and create shared accountability in keeping your business safe. Cyber security is everyone’s responsibility.

• This may include updating their devices, securing their accounts and identifying scam messages.
• Consider implementing a cyber security incident response plan to guide your business and your staff in the event of a cyber incident.
• Provide updated cyber security training on a regular basis.

If you want to improve your cyber security further, you can find more information and advice on the ACSC website at: cyber.gov.au.

Theresa has a final piece of advice: “If your website is critical to your business, then make sure you have security software that’s separate to your hosting. If I hadn’t implemented a second wall of protection then the hackers would have been able to hack into our accounts. The secondary SSL website protection system has been one of the best investments I’ve made.”