Cyber security measures for small businesses

A cyber security expert and a small business owner share their insights for improving cyber resilience.

At a glance

Here’s a snapshot of the advice from our interviewees:

  • Don't put cyber security in the too-hard basket – it's not worth the risk.
  • Make sure you have robust payment systems in place to avoid business email compromises.
  • It pays to implement cyber security software that comes with access to expert help for when you need it.
  • Small business owner Samantha Chua suggests asking your web designer what cyber security measures they have in place.

The recent Australian Cyber Security Centre Small Business Survey revealed that:

  • Companies lost $300 million each year due to cyber attacks
  • The ACSC receives around 144 reports of cyber attacks every day
  • 62% of the small and medium business owners surveyed had experienced cyber attacks

If these figures alone aren’t enough to get small businesses owners reviewing their cyber security strategy, then take it from cyber security expert James Eling, and from small business owner Samantha Chua who has seen the impact of cybercrime up close.

What is cyber security?

James Eling

“Cyber security refers to the processes that ensure the integrity and confidentiality of your business data and access to your systems,” explains James Eling, Director of IT business Extreme Networks.

Cyber security tools can include software, staff training and security-aware payment systems.

What are the different types of cyber attacks?

Cyber threats can come in the form of:

  • Message scams that try to get you to send money, click on malicious links, or reveal personal data including passwords or credit card numbers; they could come via email, SMS, social media or phone calls
  • Phishing attacks that might contain a link to a false website that encourages you to give up sensitive data such as the logins or passwords to your business’s social media accounts
  • Ransomware attacks that leverage limited security measures to encrypt a business’s data and stop the business operating until a ransom is paid
  • Malware attacks that use malicious software to gain access to sensitive data resulting in identity theft or other kinds of fraud

Why would cyber attackers bother with my small business?

“It’s a common misconception that small business owners don’t need to worry about cybercrime,” says James. “They hear about the big-scale attacks on large enterprises or read that the average hacking costs $1.5 million dollars and think, ‘Because I don’t have that kind of money, it won’t be worthwhile hacking my business.’

“However, attacks like business email compromise tend to involve amounts between $5,000 and $15,000 – enough to make it worthwhile to the hacker and enough to be seriously debilitating to a small business.”

What’s a business email compromise?

“This occurs when a cyber criminal intercepts an invoice from, say, one of your suppliers,” says James. “They duplicate the invoice so it looks exactly the same except for the bank account numbers. Often, these false invoices are paid and the business owner is none the wiser until the supplier starts following up their unpaid invoice.

“It’s a very insidious type of attack because it won’t necessarily get picked up by your security software. You might have done nothing wrong except to take it at face value.”

What should I do to protect my small business?

“At the bare minimum, you should use multi factor authentication (MFA) and antivirus software, and make sure you’re updating your software and applications regularly,” says James.

“You must have an automated system to back up your data. Sometimes data loss is due not to a cyber attack but just to human error – a staff member deleting an email thread you really need. Backups mean you can protect your business from this kind of inconvenience and associated operational costs.”

In his eyes, robust payment systems and staff training are just as important as IT security.

“Some accounting systems might flag a change in bank account details for a regular supplier but if not, your staff must be alert to any unusual changes in bank account details, and invoice regularity and amounts,” he suggests. “If in doubt, check it out.

“Don’t call the number on the invoice – go to the business’ website directory and call that number. It’s a five-minute call that could save you a lot of money and anguish. And consider lowering your daily transfer amount – [this is] a quick and free way to protect a potentially catastrophic interruption to your cash flow.”

James also recommends considering cyber insurance.

“It can be limited in its coverage but the process of applying is useful because it gets you to audit your business risks and ask yourself how your business would survive if you had to pay out [an] amount of money.”

A small business owner’s experience

Samantha Chua

“One of my websites recently got hammered with brute force attacks,” says Samantha Chua, director of Sincere Copy.

“At its peak, there were 300 login attempts in one hour. Fortunately my WordPress security software alerted me and I took quick action to make sure none of the client websites I manage were breached.

“I immediately enhanced security on every website and notified my clients to update their passwords. Thankfully, the attempted logins halved 15 minutes after I implemented the changes. Twelve hours later, everything was back to normal.”

Samantha has the following lessons and tips for other small business owners:

  1. “While the attack was unsuccessful, one repercussion was that Google picked up my email address as spam, so I’d recommend setting up a separate email address specifically for site security notifications – that way, your main inbox won’t be flagged as spam if and when an attack happens.”
  2. “If you’re hiring a web designer, make sure you ask them what cyber security measures they have in place. Luckily, mine were robust enough to protect my clients’ accounts.”
  3. “It was reassuring to know that the cyber security software I use has the option to get in touch with a dedicated specialist who would be able to provide support to recover the site, should the hack be successful.”

“Don’t put cyber security in the too-hard basket or think ‘She’ll be right’. It’s not worth the risk!”

Simplify your financial management with the all-in-one Prospa Business Account. It takes just minutes to apply and comes with additional security controls for peace of mind.

The information in this post is provided for general information only and does not take into account your personal situation. Nothing contained in this post constitutes advice or an endorsement or recommendation of any kind by Prospa. Any links to third party websites are strictly for informational purposes only. You should consider whether the information is appropriate to your needs, and where appropriate, seek professional advice from financial, legal and taxation advisors. Although every effort has been made to verify the accuracy of the information as at the date of publication, Prospa, its officers, employees and agents disclaim all liability (except for any liability which by law cannot be excluded), for any error, inaccuracy, or omission from the information for any reason, including due to the passage of time, or any loss or damage suffered by any person directly or indirectly through relying on this information.