Cyber security tips for small businesses

With many Australia’s still working from home, it’s important for Small to Medium Enterprises (SMEs) to consider cyber security strategy and make sure sensitive information such as personal staff details, customer information, financial transactions and proprietary data are secure.

Small businesses typically don’t have a dedicated IT resource for their security system, so there may be fewer obstacles between a hacker and the payoff of a quick scam to get access to private information and other valuable data.

So, what can you do to keep your small business safe? We’ve put together some tips to consider for digital safety:

  • Implement a strong password policy
  • Enable double-factor authentication
  • Back up your data
  • Work with a trusted IT company
  • Secure your CMS platform

Let’s dive right in!

It all starts with passwords

Passwords are the bread and butter of security, and it’s important that the passwords you use for all business accounts and devices are not only secure, but updated regularly. Here’s some tips to keep in mind:

  • Enforce a strong password policy where passwords must be at least 8 characters long with a combination of letters, numbers and symbols.
  • Alternatively, use lengthy passphrases instead of shorter passwords (e.g. full sentences or book/movie quotes without any spaces)
  • Update passwords regularly – set a regular reminder for yourself every 30-90 days or so.
  • Never put all your eggs in one basket – use unique passwords for each account.
  • Always lock your computer or smartphone before you step away.
  • Use a password wherever possible – including your computers, smartphones, digital accounts and the WiFi connection used at your workplace.

Enable Two Factor Authentication

Now that your passwords are secure, it’s time to take it up a notch with Two Factor Authentication, also known as 2FA. You may already have 2FA in use with your banking institution. To log in successfully, you’ll not only need a password – you’ll also need to confirm a second authentication factor, such as a unique code sent via SMS to a mobile listed on your account.

You should aim to use 2FA wherever it is available, particularly for bank accounts, cloud services, and social media profiles. The Australian Cyber Security Centre has a range of how-to guides for turning on 2FA here.

Back up often

Data loss isn’t just potential fallout from a security incident: it could also happen from power loss or other software/hardware malfunctions. That’s why it’s important to back up your data regularly so you can revert to the most recently saved data and minimise your losses. If you’re not sure where to start on backups, check out this guide from How-To Geek.

Of course, your backed up data needs to be protected, too – if you’re backing up to a physical hard drive, keep the hard drive somewhere secure, like a safe. Always do your research to ensure you’re using a reputable cloud storage company.

Have a plan ready

Even with strong security and regular backups, it’s always best to take time to prepare for a worst-case scenario in advance, so you don’t have to do it on the fly when it’s already happened and you’re under a lot of stress. Make plans while you’ve got a clear head and keep them documented, so you’ll have a procedure to follow in the event of a data breach. You should consider:

  • Do you have the contact details of an IT company to contact in the event that your computer is infected by a virus or other malware?
  • Do you know how to restore information from a backup to your device(s)?
  • Will you need to contact IT support to re-gain access to your accounts on cloud services and social media etc.?
  • If an employee is leaving the business, what should be done to ensure they can no longer access business systems/accounts?

Secure your CMS

Many small businesses take advantage of free or low-cost Content Management Systems (CMS) to manage the content of their websites, such as WordPress. However, some of these CMS platforms may have a loophole that could be exploited by a malicious party.

  • Hide the login box on your website so it’s not visible to the public. Your staff can log in through the back-end admin screen if they need to.
  • Set a custom username and password. The default username of ‘admin’ is too common and easier to exploit.
  • Hide your directory listing and public folders, such as the ‘wp-includes’ folder in WordPress. It’s much harder for your website to be hacked when it’s not clear which platform your website is running on. This tutorial video will walk you through it for WordPress.
  • Be very wary of add-ons and plugins as not all of them are safe. Do your research before adding anything to make sure it’s coming from a reputable source.

Educate employees

Many small businesses are operated solo but whether it’s just you or a small team, every single employee should know their stuff about internet safety. It only takes one weak link to open a suspicious email attachment and put your business at risk. While you may not have a HR department to develop formal security guidelines, here’s some great resources to cover the basics:



  1. Lloyd says:

    Unexpected emails:
    (1) I always have “Load remote content” off
    (2) I turn off my wifi
    (3) I move the email to the bin (where nothing in it will execute
    (4) I view the source code of the email: if it looks OK I’ll go back and open it as email (and, depending on the need, I allow remote content to load).

    Phone calls: if I don’t recognise the caller number I don’t answer it. If the caller doesn’t leave a message, then that’s fine by me – no followup required.

  2. Lloyd says:

    CMS: I had a WordPress site and paid for a service that removed malicious content.
    But the malicious content got there anyway.
    And, given that WordPress is php+mysql, I found I could make my website safer and lighter just by building the functionality I need.
    OK: I miss out on some goodies, but I also avoid the baddies, and I know what my code is doing.

  3. alan howard says:

    use redhat server or ubuntu server. a lot better than any thing from microsoft . dont use outlook or outlook express , dont use microsoft web browsers. microsoft office ( there are better alternatives) , microsoft internet exchange , all are buggy and insecure

  4. Nick says:

    One critical thing that is missing is patching. Sample sure your applications are up to date. The vast majority of compromises are based on exploiting known vulnerabilities. Have a look at the ASD essential 8. Very good resource for all businesses even for your home.

  5. Im not very good with these sort of things. Is it possible someone gives me a call PH: and takes me through things. Iinet has my phone number, so could someone please call me.

  6. Dr Barns says:

    Thanks Gina n’all…
    This is also very useful for small and volunteer NFPs (Not For Profits) so you might like to adjust some of the wording (eg ‘small business and NFPs’?) to show you are thinking of a wider range of potential clients.
    — Dr Barns