Small Business Guide
Every day we do things to safeguard ourselves and our businesses — we apply sunscreen to protect ourselves from the sun; we take out insurance for our health, homes, cars and business; and we watch the news to keep up-to-date on current issues and events. Just like putting on sunscreen when we go out on a sunny day, protecting our online information should become part of our normal day-to-day activities.
This short guide was developed to help you put in place some basic online security practices. It only takes a few minutes to read through the five easy steps, which will provide you with the basics on how to protect the information entrusted to you by your customers and suppliers.
Download or view the printable version of the guide:
Your business is your business—whether you're in business or managing someone else's business, you are responsible for its success. Stay Smart Online is the Australian Government's online safety and security information service, designed to help everyone understand the risks and simple steps that can be taken to protect personal and financial information when using the internet.
The guide has been developed by the Australian Government's Stay Smart Online initiative in collaboration with Australia Post, Australia and New Zealand Banking Group Limited, Commonwealth Bank, National Australia Bank, NBN Co, Westpac and Telstra.
Keep friends close and information closer.
Take protecting your business seriously—do not share passphrases or keep sensitive business or customer data on computers outside your control.
Administrators need greater access privileges than normal users so they can undertake activities that may impact several users or business processes. Avoid software that gives standard users the same access privileges as administrators. In addition, employees should have individual access credentials for each business system (not shared credentials). Your business information is a valuable commodity. Do you know who has access to your information? Your employees should only have access to the information they need to do their job. By limiting that access on a need-to-know basis, you reduce the risk of an 'insider' accidentally or maliciously releasing confidential information.
Action: Take responsibility for making your team understand information security, and include this in your business plan. Refer to the Implementation Guide available online for actions that help maintain the confidentiality of information within your business.
More information about privacy is available in the Your Identity section.
Sunscreen protects us: passphrases protect information.
Protecting yourself against too much sun is important. You should apply the same diligence online to protect your information from exposure and consequent loss or damage.
If you are running a small business, you need to educate your team to protect your business information held on desktop computers and mobile devices such as smartphones and tablets. Using strong passphrases is the online equivalent of applying a strong sunscreen.
Put simply, passphrases are a series of words that are longer, easier to remember and harder to guess than traditional passwords. However, you should avoid using passphrases drawn from dictionaries or that may be relatively easy to decipher.
Passphrases can help prevent criminals from accessing critical information that can be used for fraud or to extort your business. They should be used for all fixed and mobile devices, and where possible, in combination with other security measures such as firewalls and antivirus software.
Encouraging your workers to use two factor authentication is another way of improving security. Instead of using just a username and password to log in to an account (a username and password are typically regarded as one factor), your workers have to provide two factors—such as something they know (like a password) and something they have (like a one-time code sent to their mobile phone)—to gain access.
Action: Tell your employees to create passphrases for their online accounts. Advise them to use two-factor authentication or verification for additional protection.
More information about passwords is available in the Computers section.
All eyes open to stay secure.
Like keeping up with the news, the more aware people are about online security, the more capable they are of applying that knowledge to protect your business.
Staying smart online is not just about you and your team, it's about insisting your business partners and suppliers, and even your family and friends, stay up-to-date with the latest scams, spam and internet threats.
Being aware also means knowing the right questions to ask. As a business owner, you need to be able to have an informed discussion with your IT provider to ensure they can meet your needs.
Awareness also extends to being on the lookout for suspicious messages, including:
- phishing emails or text messages (these messages try to lure you into providing your passwords, online banking details or other sensitive information)
- spam (unsolicited advertising or promotional messages), and fake telemarketing calls requesting personal or financial information.
You should always be suspicious of unsolicited messages or phone calls requesting personal or financial information. If you have any doubt regarding the legitimacy of a phone call or message, contact the organisation to confirm it by using a phone number, address or form sourced from its legitimate website.
If you have provided your details to a suspicious caller or sender, immediately change your passwords and associated information. You should also alert service providers such as your bank and ask them to monitor your accounts for unusual activity.
Action: Look for the padlock symbol in your browser address bar and 'https' at the start of the website address when visiting sites. Also manually type website addresses into your browser's address bar and check that the address displays properly with no added letters, numbers or symbols.
More information is available in the Business section.
Network and device security
Lock down your computers (and networks)!
You keep your home and office free of pests—do the same for your business systems. Having antivirus software that is updated regularly is a good start, as well as setting your systems to automatically update software.
Did you know that mobile phones and tablets may provide access to your sensitive business information? Insist workers lock them with PINs in case of loss or theft and limit business information stored on them. Treat any network that your business does not control as insecure, particularly public wi-fi. Educate your workers to be wary of plugging unknown USB drives into their computers as these drives may contain viruses.
You can also improve the safety of your business by using separate computers at home for work and personal activities. This reduces the risk of your work files being infected by you or other members of your family as you or they browse the web, play games or undertake other activities online.
In recent years, criminals and malicious individuals have turned to extortion as a way of obtaining money from businesses. Extortion techniques include tricking workers into infecting computers with ransomware that encrypts files so the criminals can demand payment (usually in digital currencies such as bitcoin) for the decryption key.
Action: Keep your security software up to date and back up your data to devices or locations isolated from your corporate network.
More information about securing computers is available in the Computers section.
Insure your data: back it up!
You insure your house, health, car, life and physical business assets, but can you replace your lost or damaged business data? Not backing up your data can cost you your business.
What is business data? It includes accounting files, invoicing and quoting systems, letters and emails, information and resources, and even your website files.
Regularly backing up your data or setting devices to automatically back up can help you quickly recover from a cyber attack, hard disk failure or another disastrous event.
Back up your data to a removable storage device such as a hard drive. Do not back up to your computer as it may become compromised too.
Action: Take your backup offsite or store it securely, like other important documents. Test your backup system regularly to ensure that it restores all information correctly.
More information about backing up your data is available in the Computers section.
Detailed information about scams, including phishing scams, and how to report them is available through SCAMwatch or call 1300 795 995.
To report a cybercrime, visit the Australian Cybercrime Online Reporting Network or call your local police.
Information about small business privacy requirements is available on the Office of the Australian Information Commissioner website.
The Australian Government's Digital Business website can assist you with simple, practical tips on how to get your business or organisation online and take advantage of the opportunities that the internet can bring.
Stay Smart Online recommends that if your computer network is compromised, seek immediate technical advice that is relevant to your personal circumstances.