15 Critical Cyber Security Tips for Business

By Luke Smits - Founder & Operations Manager
illustration with padlock and key on a laptop screen

Cyber security. There's a reason it's on the minds of business owners throughout Australia and the world. Every business collects data. In the era of the internet, data has value. And whenever there's anything valuable, and it's easy enough to take it, and profit from it, you can bet that there's someone, somewhere who's going to give it a go.

Cyber criminals will target any business that leaves itself exposed and a successful cyber attack can have a devastating effect on your business. It's terrible for your reputation, for your brand, and for your customers. At the very least, you'll be embarrassed, and at worst, severe financial repercussions could shut your business down. 

Cyber security attacks should not be taken lightly. They’re concerning and for good reason - the threat to your business is real. And the reality is that many data breaches happen because a business has left the front door open when it comes to their technology.

But the good news is there are things you can do in your organisation to keep the door locked on your data.

Here are our top 15 cyber security tips for small business owners:

Download the 15 Steps to Cyber Security for Business – Checklist

secure password management


Proper password management is one of the most important processes you can implement in your business right now. Here are some helpful tips for maintaining proper passwords:


  • Use a different password for every login
  • Make sure your passwords follow best practice
  • Store your passwords securely using a password manager
  • Consider single sign on.


  • Use the same password across multiple sites or services
  • Store your passwords in your internet browser.
  • Share passwords throughout your team

Make your passwords unique

We've said it before and we'll say it again. Your pet's name combined with your birth year is NOT a good password choice. This is made even worse if you've used that same password across every site.

Make sure your passwords are unique for every login. This means that if one site or app is compromised, you haven't given a cyber criminal access to every online account you own and it's easier to control the breach.

Follow password management best practices

You want to make sure your passwords are a combination of uppercase letters, lower case letters, numbers and symbols. We realise this might be more common knowledge than it used to be, but we still come across users who don't follow this rule of thumb.

You also want to make your passwords lengthy. It can take a cyber criminal just five hours to discover a password that's eight characters long, but more than 10 years to crack one that's 11 characters and a massive 74 MILLION YEARS to crack a password that 16 characters long.

A password manager is your friend

We know what you're thinking. How will I remember all these long, unique passwords? A password manager is how. This way, you only need to remember one, long password that you update regularly and that will give you secure access to your other passwords.
LastPass, 1Password and Dashlane are just a few of the password managers available.

And while  might seem like a convenient choice, you shouldn't store your passwords in your internet browser. It's highly insecure and not a good option for any business.

You'd be better to use a password-protected spreadsheet to store your passwords locally. Even this option (though it's not one we recommend) is safer than reusing "catsname1979".

So - store your passwords in a password manager such as LastPass, 1Password or Dashlane, use a password protected spreadsheet to store them locally, or even a little black book if you prefer, although that is not recommended. All are safer than reusing "catsname2015"

Don't share passwords between team members

The main reason for this is that it becomes a nightmare when people move on. Who had access to what passwords? Which ones do you need to change? And then you're back to trying to share the new password with the team, if you've remembered to change passwords at all. Shared passwords also make it difficult or impossible to track a breach point if a breach occurs.

Use a lot of usernames and passwords? Consider single sign on.

Single sign on (SSO) is an option for businesses when many different user names and passwords are required to access different applications. SSO allows you to use a secure portal to sign in once to gain access to a variety of apps and sites without having to sign into each one individually. If this sounds like your business, then a chat with your IT provider will shed some light on whether this is a good option for you.



  • Make sure any money you send is going where you think it is.

Businesses today need to be on the lookout for invoice scams. Your accounts team should always authentication instructions that involve sending money by speaking directly to the supplier in person, or on the phone.

This is particularly important when it comes to updating invoice payment details. Fraudsters can change bank account details on what looks like a legitimate supplier's invoice to an account they control, and before you know it, you've made a payment to a fake supplier (or even a fake employee).

Always verbally confirm any changes to payment details before actioning them.

email attachment threats



  • Check attachment validity by calling the sender if you're in any doubt.


  • Open attachments from people or businesses you don't know.

Are you expecting an attachment from this person? Does the file name seem a little off? And if it's someone you do know, is the body of the email not really sounding like them?

Hover the mouse cursor over the attachment to see more details before you open it. If you're in any doubt, call the sender to verify the attachment.

Another tip for attachments and links that don't seem quite right (and where you can't verify with the sender), is to try opening the link or attachment on your phone instead of on your PC. Phones are less prone to traditional virus infection. And if it does turn out to contain something harmful, it won't affect your entire business network in the way that it would if you'd opened it on your desktop computer.

But it's still best to verify before opening.

multi-factor authentication



  • Use two-factor or multi-factor authentication whenever it's available.

Two-factor or multi-factor authentication should be used whenever it's available, and especially for critical services like online banking, accounting systems, remote access, and email systems.

If you're not sure how it works, you can read our article about this security feature here.

Taking the extra security step in addition to entering your password might slow things down a little, but it's a good trade off when the consequences of a breach can be VERY costly.

unknown links



  • Check link validity by calling the sender if you're in any doubt.


  • Click on suspicious links in emails or on websites.

Spam filters are pretty clever these days, but you should still be wary of clicking on links in emails or on websites. Make sure the link you're clicking in legitimate.

For example, if you think you're clicking on a link for the NAB, then the link should contain https://nab.com.au/ at the start.

You need to be careful of "cloaking" too. This is where the link looks legitimate because the text contains the right URL information, but the actual link will take you somewhere else. To see what the link actually is, simply hover the mouse cursor over the top and it will display where the link is really sending you. If it contains http://nabbankcomau.com, then it's likely a fake and clicking the link will give you more than the "special offer" you bargained for.

Whenever you're in doubt, call your managed IT service provider or the person who sent the email.

keep software updated



  • Update your software regularly.


  • Run software that is no longer supported (end of life)

If you don't have up to date software then you don't have the most up to date security patches. This makes it easier for cyber criminals to exploit you through the software you use every day.

It's particularly important to upgrade when the software you're using comes to "end of life". This means that it's no longer being supported, and security patches are no longer being released, leaving vulnerabilities in the software open to attack.

Backup & Disaster Recovery Plan



  • Have a monitored backup system in place
  • Backup regularly and check your backup regularly
  • Make sure your business has a disaster recovery plan


  • Neglect to backup

From manufacturing IT support to IT support service for medical centres. We are still surprised by the number of businesses that either don't have a managed backup solution or haven't checked their backup since 2012.

You'll want to have a backup system that's regular (as in daily) and monitored. This means when something didn't backup correctly you or your IT provider will know about it and be able to take swift action.

It’s also important to have a disaster recovery plan in place in case you do have a data breach, you won't be left high and dry and minimize the downtime of your business operations.

secure wifi



  • Use a VPN to encrypt your data when connecting to public Wi-Fi

  • Use your mobile network instead of Wi-Fi when possible


  • Contact important business online while connected to public Wi-Fi unless you have a VPN connection.

Your devices are only as secure as the network through which they transmit data. Even the Wi-Fi network you connect your devices to can open the door to hackers. To protect your business from unwanted eyes, make sure you have a secure Wi-Fi network with strong encryption. 

We know it’s not always possible to connect to your secure Wi-Fi network, like when you're travelling for work or accessing public Wi-Fi networks overseas, in airports, hotels etc. When this is the case, you’ll want to  use a Virtual Private Network or VPN to protect your data.. 

Don’t use public Wi-Fi without using a Virtual Private Network (VPN). By using a VPN, the traffic between your device and the VPN server is encrypted. This means it’s much more difficult for a cybercriminal to obtain access to your data on your device. And if you don’t have a VPN, then give public Wi-Fi a miss and use your mobile network instead.

secure mobile devices



  • Ensure that your mobile phone uses password protection and fingerprint encryption

  • Minimise access to public Wi-Fi and switch off Bluetooth when possible

  • Have a company mobile phone policy


  • Leave your phone unattended in public places

  • Download files unless absolutely necessary

Smartphones, tablets and other portable devices can pose a threat to your company’s cyber security because their software isn’t regularly updated. This means they’re a potential ‘open-door’ for cyber criminals looking for an easy way into your company's data.

It’s important you have a mobile phone policy in place and get in the habit of making sure your mobile devices are protected from easy access.

printer security



  • Have a company printer policy in place to handle and manage documents

  • Don’t leave printed documents unattended in the printer tray

  • Make sure you’ve set up and configured the printer settings correctly

  • Setup secure printer access via a password or security badges

It’s easy to overlook the potential cyber risk of the humble office printer. It’s just a printer, right?

These days, printers are more sophisticated than ever. They share a lot of the same technology as computers and are embedded in your company's internal network. It’s important that you make them secure and closed to potential cyber attacks. You can mitigate the security risks of printers through proper setup and configuring the right settings and security software. You also should train all staff on secure document management and have a policy in place for managing printed documents as well as requiring staff to log-in securely to print documents.

social engineering



  • Be aware of social engineering cyber attacks and have a policy for handling them

  • Train your staff. This is key in preventing social engineering attacks 


  • Share information with anyone outside your company without making sure they’re who they say they are 

Social engineering is a hacking technique that targets human behaviour and doesn’t rely on technical know-how to access your company’s data. These cyber criminals will often call or email their victims disguised as an authority from a bank, tax office or government agency and attempt to manipulate employees into sharing confidential information such as passwords, access codes and business critical information.

Social engineering is one of the most effective techniques used by cyber criminals to gain access to a business’s confidential property. Because it relies on human error, the best way to prevent this type of attack is to ensure that your team are trained regularly in identifying, avoiding and reporting socially engineered cyber attacks. Sending test phishing emails to staff is an excellent way to build up awareness for when a real attack presents itself.

unattended devices



  • Encrypt all portable hard drives and USB devices

  • Physically lock unattended computers

  • Temporarily lock screens when not using your device 

When it comes to cyber security, we often think about technical security, phishing attacks and hackers but cyber attacks can also be physical.

Where possible, don’t leave any device unattended. In the case of computers at workstations, ensure that unattended devices have a secure lock to prevent them from being moved or stolen. And if a device can’t be locked down (like a portable hard drive for example) make sure it’s been encrypted to prevent unwanted third parties from gaining access.

cyber security company policy



  • Have a cyber security policy in place

Having a cyber security policy is the best practice, first step towards a cyber secure business.

Cyber security is a team sport. It only takes one person with a weak password to let the team down. Make sure all your staff are aware of your policies around cyber security, privacy and data collection and management. And they are practised in implementing them.

Train your team about cyber security



  • Train your team regularly on best practice

Technology is changing all the time, which means cyber security best practice is changing all the time too. This can make it a bit confusing and even the most intelligent people are at risk of leaving the door open in your business.

Make sure you regularly train your team in what to look for. This should include things like:

  • Secure storage of client information and the businesses responsibility to protect sensitive client data
  • Clicking on unknown links in emails
  • Using USB sticks which could introduce viruses into computer systems
  • The use of mobile devices and what to do if they are lost or stolen
  • How to properly dispose of devices and other technology when it's no longer being used.

have a risk management plan



If you're following our checklist from steps 1 - 9, then you'll have significantly reduced the risk of a data breach in your business.

But if the worst should happen, and a breach should occur, you need to be able to quickly spring into action to keep the impact on your business to a minimum.

Having a risk management plan means you'll know exactly what to do in case of a data breach in your business. Your IT provider should be able to help you create a plan, and be your first call to help implement it if things go wrong.

It's time to lock the data door.

Now you're armed with the knowledge, where are the gaps in your business' cyber security that might leave you exposed?

Download our cyber security checklist, and get started on locking your data door

Back to News