15 Critical Cyber Security Tips for Business

By Luke Smits - Founder & Operations Manager
illustration with padlock and key on a laptop screen

There’s a reason cyber security is at the forefront of businesses - 

Every business collects data.

We are in the digital era; the era of the internet and data is valuable. And, when there something of value, it’s only a matter of time before someone comes along that will attempt to take it for themselves.

Cyber criminals will target any business that leaves itself unprotected and a successful cyber-attack can have a devastating effect on your business. It can be terrible for your reputation, your brand, and your customers. At the very least, it could be embarrassing, and at worst, severe financial repercussions could shut your business down. 

Do not take Cyber security attacks lightly.

They’re concerning and the threat to your business is real. The reality is many data breaches happen because a business has left the front door open when it comes to their technology.

But there are cyber security measures your organisation can put in place to keep the door locked on your data.

Here are our top 15 cyber security tips for small business owners:

Download the 15 Steps to Cyber Security for Business – Checklist

secure password management


Proper password management is one of the most important processes you can implement in your business right now. Here are some helpful tips for maintaining secure passwords:


  • Use a different password for every login
  • Make sure your passwords follow best practice
  • Store your passwords securely using a password manager
  • Consider single sign on.


  • Use the same password across multiple sites or services
  • Store your passwords in your internet browser.
  • Share passwords throughout your team

Make your passwords unique

We've said it before, and we'll say it again:

Your pet's name combined with your birth year is NOT a secure password choice. It’s made even worse if you've used that same password across multiple sites.

Make sure your passwords are unique for every login. This means that if one site or app is compromised, you haven’t given a cybercriminal access to every online account you own and it’s easier to control the breach.

Follow password management best practices

Ensure you use secure passwords with a combination of:

  1. Uppercase letters
  2. Lower case letters
  3. Numbers
  4. Symbols.

At this point, this is common sense, but we still come across users who don't follow this rule of thumb.

Did you know:

It can take a cybercriminal just five hours to discover a password that's eight characters long, but more than 10 years to crack one that's 11 characters.

And, 74 MILLION YEARS to crack a password that 16 characters long.

So, keep those passwords lengthy. The longer, the better.

A password manager is your friend

We know what you're thinking:

“How will I remember all these long, unique passwords?”

A password manager is how.

With a password manager you only need to remember one, long password that you update regularly. This one password will give you secure access to your other passwords.

Some examples of great password managers:
LastPass, 1Password and Dashlane

And while it might seem like a convenient choice, you shouldn't store your passwords in your internet browser. It's highly insecure and not recommended for your business.

Your best option is to use a password-protected spreadsheet to store your passwords locally. Although we do not recommend this option either, at least it’s safer than reusing "catsname1979".

So - store your passwords in a password manager such as LastPass, 1Password or Dashlane, use a password protected spreadsheet to store them locally, or even a little black book if you prefer.All are safer than reusing "catsname2015"

Don't share passwords between team members

The main reason not to share passwords with team members is that it becomes a nightmare when people move on.

Who had access to what passwords? Which ones do you need to change?

Shared passwords also make it difficult or impossible to track a breach point if, and when, one occurs.

Use a lot of usernames and passwords? Consider single sign-on.

Single sign-on (SSO) is an option for businesses when many different usernames and passwords are required to access applications. SSO allows you to use a secure portal to sign in once to gain access to a variety of apps and sites without having to sign into each one individually.

If this sounds like something your business needs, then a chat with your IT provider will shed some light on whether this is a good option for you.



  • Make sure any money you send is going where you think it is.

Your business needs to be on the lookout for invoice scams. Your accounts team should always authenticate any instructions that involve sending money by speaking directly to the supplier in person, or on the phone.

This is particularly important when it comes to updating invoice payment details. Fraudsters can change bank account details on what looks like a legitimate supplier's invoice to an account they control, and before you know it, you've made a payment to a fake supplier (or even a fake employee).

Always verbally confirm any changes to payment details before actioning them.

email attachment threats



  • Check attachment validity by calling the sender if you're in any doubt.


  • Open attachments from people or businesses you don't know.

Are you expecting an attachment from this person? Does the file name seem a little off? And if it's someone you know, does the body of the email sound like it’s from them?

Hover the mouse cursor over the attachment to see more details before you open it. If you're in any doubt, call the sender to verify the attachment.

Another tip for attachments and links that don't seem quite right (and where you can't verify with the sender), is to try opening the link or attachment on your phone instead of on your PC. Phones are less prone to traditional virus infection. Then, if it does contain something harmful, it won't affect your entire business network, like it could have if you'd opened it on your desktop computer.

But, it's still best to verify before opening.

multi-factor authentication



  • Use two-factor or multi-factor authentication whenever it's available.

Two-factor or multi-factor authentication should be used whenever possible, especially for critical services like online banking, accounting systems, remote access, and email systems.

If you're not sure how it works, you can read our article about this security feature here.

Taking this extra security step might slow things down a little, but it's a good trade off when the consequences of a breach can be VERY costly.

unknown links



  • Check link validity by calling the sender if you're in any doubt.


  • Click on suspicious links in emails or on websites.

Spam filters are pretty clever these days, but you should still be wary of clicking on links in emails or on websites. Make sure the link you're clicking is legitimate.

For example, if you think you're clicking on a link for the NAB, then the link should contain https://nab.com.au/ at the start.

You need to be careful of "cloaking" too.

Cloaking is when a link looks legitimate because the text contains the right URL information, but the actual link will take you somewhere else. To see what the final destination URL is, simply hover the mouse cursor over the top and it will display where the link is really sending you. If it contains http://nabbankcomau.com, then it's likely a fake and clicking the link will give you more than the "special offer" you bargained for.

Whenever you're in doubt, call your managed IT service provider or the person who sent the email.

keep software updated



  • Update your software regularly.


  • Run software that is no longer supported (end of life)

If you don't have up to date software, then you don't have the most up to date security patches. This makes it easier for cyber criminals to exploit you through the software you use every day.

It's particularly important to upgrade when the software you're using comes to "end of life". This means that it's no longer being supported, and security patches are no longer released, leaving vulnerabilities in the software open to attack.

Backup & Disaster Recovery Plan



  • Have a monitored backup system in place
  • Backup regularly and check your backup regularly
  • Make sure your business has a disaster recovery plan


  • Neglect to backup

From manufacturing IT support to IT support service for medical centres, we are still surprised by the number of businesses that either don't have a managed backup solution or haven't checked their backup since 2012.

Your business needs a backup system that's regular (as in daily) and monitored. A back up is an important cyber security measure. This means if something hasn’t backed up correctly, you or your IT provider will know about it and be able to take swift action.

It’s also important to have a disaster recovery plan in place in case you do have a data breach, you won't be left high and dry and minimize the downtime of your business operations.

secure wifi



  • Use a VPN to encrypt your data when connecting to public Wi-Fi

  • Use your mobile network instead of Wi-Fi when possible


  • Contact important business online while connected to public Wi-Fi unless you have a VPN connection.

Your devices are only as secure as the network through which they transmit data. Even the Wi-Fi network to which you connect your devices can open the door to hackers. To protect your business from unwanted eyes, make sure you have a secure Wi-Fi network with strong encryption. 

We know it’s not always possible to connect to a secure Wi-Fi network, like when you're travelling for work or accessing public Wi-Fi networks overseas, in airports, hotels etc. When this is the case, you’ll need to use a Virtual Private Network or VPN to protect your data. 

Don’t use public Wi-Fi without using a VPN. By using a VPN, the traffic between your device and the VPN server is encrypted. This means it’s much more difficult for a cybercriminal to obtain access to your data on your device. And if you don’t have a VPN, then give public Wi-Fi a miss and use your mobile network instead.

secure mobile devices



  • Ensure that your mobile phone uses password protection and fingerprint encryption

  • Minimise access to public Wi-Fi and switch off Bluetooth when possible

  • Have a company mobile phone policy


  • Leave your phone unattended in public places

  • Download files unless absolutely necessary

Smartphones, tablets and other portable devices can pose a threat to your company’s cyber security because their software isn’t regularly updated. This means they’re a potential ‘open-door’ for cyber criminals looking for an easy way into your company's data.

It’s important you have a mobile phone policy in place and get in the habit of making sure your mobile devices are protected from easy access.

printer security



  • Have a company printer policy in place to handle and manage documents

  • Don’t leave printed documents unattended in the printer tray

  • Make sure you’ve set up and configured the printer settings correctly

  • Setup secure printer access via a password or security badges

It’s easy to overlook the potential cyber risk of the humble office printer. It’s just a printer, right?

These days, printers are more sophisticated than ever. They share a lot of the same technology as computers and are embedded in your company's internal network.

It’s important that you make them secure and closed to potential cyber-attacks. You can mitigate the security risks of printers through proper setup and configuring the right settings and security software.

You should train all staff on secure document management and have a policy in place for managing printed documents as well as requiring staff to log-in securely to print documents.

social engineering



  • Be aware of social engineering cyber attacks and have a policy for handling them

  • Train your staff. This is key in preventing social engineering attacks 


  • Share information with anyone outside your company without making sure they’re who they say they are 

Social engineering is a hacking technique that targets human behaviour and doesn’t rely on technical know-how to access your company’s data.

These cyber criminals will often call or email their victims disguised as an authority from a bank, tax office or government agency and attempt to manipulate employees into sharing confidential information such as passwords, access codes and business critical information.

Social engineering is one of the most effective techniques used by cyber criminals to gain access to a business’s confidential property.

Because it relies on human error, the best way to prevent this type of attack is to ensure that your team are trained regularly in identifying, avoiding and reporting socially engineered cyber attacks.

Sending test phishing emails to staff is an excellent way to build up awareness for when a real attack presents itself.

unattended devices



  • Encrypt all portable hard drives and USB devices

  • Physically lock unattended computers

  • Temporarily lock screens when not using your device 

When it comes to cyber security, we often think about technical security, phishing attacks and hackers but cyber attacks can also be physical.

Where possible, don’t leave any device unattended.

Unattended devices at workstations should have a secure lock to prevent them from being moved or stolen. And if a device can’t be locked down (like a portable hard drive for example) make sure it’s been encrypted to prevent unwanted third parties from gaining access.

cyber security company policy



  • Have a cyber security policy in place

Having a cyber security policy is best practice and the first step towards a cyber secure business.

Cyber security is a team sport. It only takes one person with a weak password to let the team down.

Make sure all your staff are aware of your policies around cyber security, privacy and data collection and management.

Train your team about cyber security



  • Train your team regularly on best practice

Technology and cyber-security are ever-changing. This can cause confusion and even experienced people are at risk of leaving the door open in your business.

Make sure you regularly train your team in what to look for. This should include things like:

  • Secure storage of client information and the business’s responsibility to protect sensitive client data
  • Clicking on unknown links in emails
  • Using USB sticks which could introduce viruses into computer systems
  • The use of mobile devices and what to do if they are lost or stolen
  • How to properly dispose of devices and other technology when it's no longer being used.

have a risk management plan



If you're following our checklist from steps 1 - 9, then you'll have significantly reduced the risk of a data breach in your business.

But if the worst should happen, and a breach should occur, you need to be able to quickly spring into action to keep the impact on your business to a minimum.

Having a risk management plan means you'll know exactly what to do in case of a data breach in your business. Your IT provider should be able to help you create a plan, and be your first call to help implement it if things go wrong.

It's time to lock the data door.

Now you’re armed with cyber security measures and where the gaps are in your business’ cyber security might leave you exposed.

Download our cyber security checklist, and get started on locking your data door

Back to News