The digitalisation of business has created significant efficiencies for small businesses. From cloud software and online banking to electronic signing and client portals, many day-to-day business processes now rely on digital systems.
However, this also means cyber security is an important business risk area that should not be overlooked.
Cyber incidents can result in financial loss, business interruption, reputational damage and, in some cases, privacy or data breach obligations.
Below are five practical steps small businesses can consider to strengthen their cyber security.
1. Use strong passwords and multi-factor authentication
Strong, unique passwords or passphrases should be used for each business account, software platform and online service.
Avoid reusing passwords across multiple systems. If one account is compromised, reused passwords can make it easier for cybercriminals to access other accounts.
A reputable password manager can help your team securely store and manage login details.
Where available, multi-factor authentication should also be enabled. Multi-factor authentication requires an additional verification step before access is granted and is one of the most effective ways to protect business accounts from unauthorised access.
2. Keep software and devices up to date
Cybercriminals often exploit known security weaknesses in outdated software.
Regularly updating operating systems, browsers, accounting software, antivirus software, apps and devices helps close known security gaps.
Where appropriate, automated updates should be turned on so that important security patches are not missed. The Australian Cyber Security Centre recommends keeping software up to date as one of the key steps small businesses can take to improve cyber security.
3. Train your team to recognise cyber risks
Technology is only one part of cyber security. Staff awareness is also important.
Many cyber incidents involve phishing emails, fake invoices, malicious links, compromised passwords or social engineering, where a person is tricked into providing access or sensitive information.
Regular staff training can help your team identify warning signs, including:
- unexpected payment requests;
- changes to supplier bank details;
- suspicious links or attachments;
- requests for passwords or verification codes;
- emails that create urgency or pressure; and
- unusual login or access requests.
Creating a culture where staff feel comfortable questioning unusual requests can help reduce the risk of a cyber incident.
4. Back up important business data
Backups are an important safeguard against ransomware, hardware failure, accidental deletion and system outages.
Businesses should identify their critical data and ensure it is backed up regularly.
This may include accounting files, client records, payroll information, contracts, emails, business documents and operational records.
Where possible, consider the 3-2-1 approach: keep three copies of important data, stored on two different types of storage, with one copy stored securely off-site or in a secure cloud environment.
Backups should also be tested periodically to ensure they can be restored when needed.
5. Review your cyber risk and insurance arrangements
No system is completely risk-free. For this reason, businesses may wish to review their cyber risk management processes, incident response plan and insurance arrangements.
Cyber insurance may assist with certain costs following a cyber incident, depending on the policy. This could include areas such as incident response support, data recovery, business interruption, legal costs or notification expenses.
However, coverage varies between policies, and exclusions may apply. Businesses should speak with their insurer or insurance broker to understand what is and is not covered.
What if a data breach occurs?
If your business handles personal information, you may have obligations under the Privacy Act and the Notifiable Data Breaches scheme.
Where a data breach involving personal information is likely to result in serious harm, some organisations are required to notify affected individuals and the Office of the Australian Information Commissioner.
Businesses should seek appropriate advice if they are unsure about their obligations following a cyber incident.
Need help reviewing your cyber risk?
Cyber security is an important part of managing business risk.
While we are not cyber security specialists, we can help you identify common business process risks, such as invoice fraud, payroll changes, supplier payment controls and record-keeping practices.
Where specialist support is required, we can also connect you with trusted IT, cyber security or insurance professionals.
If you would like to discuss your business processes and cyber risk management, please contact our office.
