Seven things small businesses must do to prevent cyber-attacks

Media release

28 August 2018

Australia's small and medium sized businesses are increasingly under threat of cyber-attack, but most are unaware of the risk or are doing almost nothing to prevent it, according to a Deakin University cyber security expert.

Professor Matthew Warren, Deputy Director of Deakin's Centre for Cyber Security Research and Innovation, said business owners were becoming more and more dependent on IT systems and therefore vulnerable to new and emerging security risks.

"From hairdressers to builders, accountants to GPs, small businesses are using IT to improve, expand and market their services, and that includes things like booking services, online sales, social media promotion, websites and customer databases," Professor Warren said.

"The problem is that they may not have the appropriate resources, expertise or understanding to protect their systems and key data – they're using the technology from a convenience perspective but without properly understanding the privacy and security risks.

"Many think security is not their responsibility but it's a serious risk that can destroy their business."

Professor Warren's warning comes as Victoria celebrates its annual Small Business Festival this month. He said a key priority in developing the state's small business economy must be the promotion of cyber security.

Professor Warren said there were seven simple things owners of small and medium businesses should do to protect themselves:

  1. Patch systems and enable automatic patching. All systems and packages are updated (called patching) and the patching can be done automatically rather than implemented individually by users.
  2. Back up all important data.
  3. Use a cloud based email and/or data storage.
  4. Use strong authentication. Use passphrases instead of passwords and use two stage authentication where possible.
  5. Set up different accounts. For example you can set up an administrator account, as well as user accounts.
  6. Don't use the same password across all accounts (Twitter, Facebook, LinkedIn, Gmail, Adobe, Apple, etc). When one is hacked, they all become vulnerable if you're using the same password.
  7. Don't click on links, attachments or images from people not known to you. Criminals often hack one account and use that account to send malware to people in the contact list.

Small to Medium Enterprises (SMEs) are categorised as any business with less than 200 staff. They represent 96 per cent of Australian businesses, and employ almost half of Australia's private workforce, contributing a third of Australia's GDP.

Professor Warren said data showed there were nearly 700,000 cyber-attacks against Australian organisations each year, with 60 per cent of those attacks being made against SMEs.

"One prominent example we saw in 2016 was when thieves hacked into the computer system of a SME that held a national security contract with the Federal Government," Professor Warren said.

"The intruders had access to the IT network for a long period of time and stole large amounts of the defence supplier's data.

"While not all breaches will impact on matters of national security, when you consider that the average time it takes to resolve a cyber-attack is 23 days, that can still have an enormous impact on a small business' operations and ultimately on its bottom line.

"SMES need to ask themselves – if they were a victim of a cyber-attack, how much immediate business would they lose, could they restore their system and data, and would their customers have confidence in their organisation in the future?"

Deakin University offers a free online SME cyber security short course through FutureLearn, for more information visit

Professor Warren will also be running a cyber security event for SMEs with the City of Yarra as part of the Victorian Government's Digital Innovation Festival on 6 September, you can find more information here.

Share this story

Share this story

More like this

Media release School of Information Technology, Faculty of Science Engineering and Built Environment Centre for Cyber Security Research and Innovation (CSRI) Information technology and cyber security