Why cyber safety is important

In 2017, 60% of cyber-crime was targeted at Small and Medium Businesses (SMBs). More than half of those attacked closed their doors 6 months later due to the financial repercussions. Cyber criminals target SMBs because they don’t have the same cyber security capabilities as larger organisations.

We want to share our expertise with SMB owners to help you protect your business against cyber threats.

What you’ll learn:

  • The value of your business data
  • How to protect your website from cyber threats
  • How to create a business continuity plan
  • Security awareness tips for your employees.
  • The value of your business data

    Your business data is as important as your physical assets. Insurance can replace inventory, machinery and equipment, vehicles and even buildings, but your business data is not so easily replaced.

    Think about the time and effort you’ve put into building up your customer and business intelligence, including:

    • Your customer records including credit card details, personal details, account numbers, orders and payments
    • Your business records such as your strategy, banking details, your marketing database and accounting records
    • Your intellectual property, such as market research or product development plans.

    Could your business survive if you lost access to your data or if you had to rebuild from scratch?

    Why do criminals want your data?

    They have many ways to use your data to make money. Here’s just a few:

    • They can use your data for their own malicious purposes, or sell it to other criminals for things like mailing lists, phishing, scams, or identity theft
    • They could hold your data to ransom, forcing you to pay a fee to get your data back
    • They could sell it to your competitors.

    Check your understanding

    Is the data your business collects valuable?

    Yes

    Unfortunately, you’re right. Criminals regularly attack small and medium sized businesses. That’s because they often lack the resources of large organisations, and are viewed as easier targets by cyber criminals. In Australia, SMBs are more actively targeted by cyber criminals than large businesses.

    No

    Unfortunately, this is not correct. Criminals regularly attack small and medium sized businesses. That’s because they often lack the resources of large organisations, and are viewed as easier targets by cyber criminals. In Australia, SMBs are more actively targeted by cyber criminals than large businesses.

  • How to protect your website

    Criminals can use your website to get into your computer network and steal information about your business or customers. How? They use automated hacking tools which quickly search the internet to find websites that have security gaps.

    Some criminals also attack business websites directly and stop them from working. This is called a Denial of Service (DoS) attack. They do this by ‘flooding’ a website with connection requests, which overwhelm the system and disable the website. If your Internet service or web hosting provider isn’t protected against a DoS attack, your business is at risk.

    Protection tips

    • Understand your risks. If your website has information only, an attack may damage your business reputation. However, if customers can purchase directly from your website, then an attack may impact both your revenue and reputation. It may also lead to customer information being stolen.
    • Don’t wait until something goes wrong. Understand the services offered by your website host and internet service provider. Find out what protection they offer and any service level agreements that are part of your contract. If you’re not comfortable with either, change them.
    • Have an incident plan. This is a vital part of a cyber security strategy, and will help your business respond and recover from a cyber incident. Learn more about recovering from business disruptions.
    • Keep your software up-to-date. It’s best to set up your software to automatically update, so you always have the latest security improvements.
      Install a firewall . A firewall is a software security system that monitors and manages traffic between your computer network and the internet. It blocks traffic that could potentially harm your computer systems.
    • Back up your website and test the recovery. It’s crucial to have procedures in place to regularly back up your website. You also need to test the backups work so that you know you’ll be able to recover all your data if an incident happens.

    Check your understanding

    How can you protect your website from a DoS and other cyber attacks to reduce the impact to your business and customers?

    Make sure your website host and internet provider will protect you against cyber attacks

    Correct. However, there is more than one right answer.

    Have an incident response plan in place

    Correct. However, there is more than one right answer. Follow your incident response plan and keep in close contact with ISPs and any other DoS mitigation providers. The guiding objective through any incident is to continue providing an accessible service to customers. Where that is not possible, the objective is to restore normal business function as soon as possible.

    Back up your website and test recovery regularly

    Correct. However, there is more than one right answer.

    All of them

    Correct. You should have all the above measures in place to protect your website .

  • How can you protect your business data?

    To keep your data safe you need to implement safeguards across your technology, processes and people.

    Technology safeguards

    1. Create an Asset Register

    This simply means recording what data you have, and where it is stored. Create a list of all the data you use or store and include all the items we talked about in the previous module, such as:

    • Your customer records including credit card details, personal details, account numbers, orders and payments.
    • Your business records such as your strategy, banking details, your marketing database and accounting records.
    • Your intellectual property, such as market research or product development plans.

    2. Next to each item, list where it’s stored (i.e. local hard drive, network drive, USB stick, email, Google Drive, Dropbox, etc.).

    3. Finally, assess how vulnerable to cyber attack each item is. To do this, ask yourself:

    • Can the information be accessed by someone outside your business? Think about information that may not be securely stored on your employee’s devices, including laptops, phones and tablets.
    • Where is all your data stored? If it’s all in the same place - either on physical storage media or virtually in the cloud - you risk losing everything.
    • Is your data backed-up off your network and checked for recovery regularly?

    4. Implement these important technical controls on both your desktop and mobile devices to help secure your data:

    • Block unauthorised access to your network by installing a firewall, opens in new window.
    • Set PINS/passwords/patterns on mobile phones and tablets.
    • Protect computers and laptops by setting up auto-updates on your anti-virus software, applications and operating systems. See the Australian Government’s Stay Smart Online, opens in new window service for useful information on how to do this.
    • Check your cloud storage for its security standards.

    5. Implement the Essential 8

    For a comprehensive cyber security strategy, check out the Essential 8, opens in new window - a prioritised list made for small and medium sized businesses. It’s been put together by experts at The Australian Signals Directorate, an intelligence agency in the Australian Government Department of Defence.

    Check your understanding

    Here are a range of technology safeguards:

    • A firewall to stop intrusions
    • An asset register
    • Procedures to regularly back-up and test your data
    Which of the above do you need to have in place?

    All of these

    Great! You have the foundations of good cyber safety.

    Some of these

    That’s a good start, but ideally you need all these protections to stay safe.

    None of these

    These items are critical for your data safety. Now is the perfect time to put these protections in place.

  • Make your processes safe

    Cyber safety is not just about your technical controls like firewalls and anti-virus software. It’s important you and your staff support those controls with clear processes, policies and guidelines.

    • Develop and communicate good business practices for passwords and system access. Visit 6 simple ways to protect your passwords.
    • Give each employee their own usernames and passwords for accessing systems, and don’t allow shared accounts.
    • Make sure the access level of each employee is right for what they need to do their job.
    • Only you or your most senior IT employee should have administrator access, to make sure only authorised people have access to your systems. If multiple people have administrator access and the password of one of them is compromised, it could give a criminal access to all your accounts and systems.
    • To prevent email-based scams, insist employees confirm any changes to invoice account details via a phone call with the supplier (on a known contact number) before paying it.
    • Have employees confirm all requests for funds transfers with the person asking for it, even if it appears legitimate.
    • Develop systems and processes to support safe behaviours, and encourage your team to report suspicious events.
    • Put in place clear cyber safety guidelines and policies so employees know how to securely use:
      • email, Internet and social media
      • computers and laptops
      • personal devices such as mobile phones and tablets
      • passwords and/or PINs to access your business network, or any devices they use for work.
    • Help your employees understand the importance of cyber safety and the impacts an incident can have. Make sure their responsibilities are documented and understood. Try not to focus on scare tactics or what your employees can’t do. Instead, talk openly about ways to work together to keep the business and your customers safe.

    Check your understanding

    One of your employees receives an email asking for payment of an invoice as well as a change of banking details. Would they know all the steps to take?

    Yes

    Great. You have made cyber safety an important part of your business practices.

    No

    This is your chance to get your employees up to speed about email cyber security. Start by showing them where to report suspicious emails and make sure they confirm the email is legitimate by contacting the sender by a different communication method. You can also ask them to forward these emails to you so you can show the rest of the team.

  • Make it easy for employees to practice cyber safety

    It’s important you have a positive and proactive security culture, starting with your induction program. This should include a conversation, interactive workshop or an online training module like this one to help new employees understand the importance of cyber security.

    Set up a schedule to:

    • Ensure all employees are trained in cyber security and understand all the policies and procedures to keep themselves and your business safe.
    • Build security awareness with regular talks
    • Give employees updates on security issues, especially new threats. Check out our latest scams, fraud and phishing alerts.
    • Provide tips and information to keep employees secure in their personal lives, and they’ll bring those behaviours to work. Select someone with an interest in cyber safety to be a ‘Cyber Champion' to provide information at team meetings.
    • Discuss privacy settings on professional sites such as LinkedIn and on social media and email safety. A criminal can use information found on the Internet to target an employee with a malicious message or request. Find a balance between reflecting your career and potentially providing criminals with useful information.
    • Let your team know they can find more information at:
    What’s more important for cyber safety in your business: human controls or technical controls?

    Human controls

    Human controls are essential, but even the most vigilant can miss something. Cyber safety is only achieved when you combine human and technical controls. Show your employees the Cyber Safety Hub for more information on how to protect themselves, and your business.

    Technical controls

    Even the best technical controls sometimes don’t stop criminals. Cyber safety is only achieved when you combine human and technical controls. Show your employees the Cyber Safety Hub for more information on how to protect themselves, and your business.

    Both

    Correct. Cyber safety is only achieved by combining human and technical controls. Show your employees the Cyber Safety Hub for more information on how to protect themselves, and your business.

Congratulations!

You have completed NAB’s Introduction to Cyber Safety for small and medium business owners module. We hope you found it valuable.

For more information on how to help keep your business safe online, visit our Cyber Safety Hub for Business.

Test your knowledge on other cyber safety topics.

 

Important information